Bugtraq mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: arne.vidstrom () NTSECURITY NU (Arne Vidstrom)
Date: Tue, 1 Feb 2000 19:19:25 +0100
The reason to strip script tags would be to protect users from hostile code which the browsers can't handle themselves. Adding this feature to a firewall at all, but not making it work properly in all cases (probably a hopeless task anyway...) makes a false sense of security, which often is worse than no security at all. /Arne Vidstrom http://ntsecurity.nu
To: BugTraq Subject: Re: "Strip Script Tags" in FW-1 can be circumvented Date: Mon Jan 31 2000 00:28:29 Author: Jonah Kowall I don't consider this a bug in FW-1, but a bug in the products navigator, and internet explorer. These tags shouldn't be parsed, because they are malformed. The firewall is stripping tags properly, but since these tags are malformed you can't expect the firewall to be able to recognize them as valid tags.
Current thread:
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)