Bugtraq mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: Robert_Losinski () DPSK12 ORG (Losinski, Robert)
Date: Tue, 1 Feb 2000 11:11:49 -0700
As a former SGML Analyst with years of experience dealing with bad markup, I disagree. The firewall should always strip the <SCRIPT> tags and all text parsed in between. Web Browsers are designed to be as flexible and loose as possible to compensate for all the "hand coded" webpages around. That is why they ignore the unclosed "<" before the <SCRIPT> tag. FW-1 on the other hand is designed around strict security concerns by enforcing rigid rule sets. It should always parse out and remove <SCRIPT> tags when that rule is activated regardless of surrounding text. Obviously their parser is not capable of ignoring an unclosed "<" when it encounters the <SCRIPT> tag. -----Original Message----- From: Jonah Kowall [mailto:jkowall () CINTERACTIVE COM] Sent: Monday, January 31, 2000 12:28 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: Re: "Strip Script Tags" in FW-1 can be circumvented I don't consider this a bug in FW-1, but a bug in the products navigator, and internet explorer. These tags shouldn't be parsed, because they are malformed. The firewall is stripping tags properly, but since these tags are malformed you can't expect the firewall to be able to recognize them as valid tags. -----Original Message----- From: Arne Vidstrom [mailto:arne.vidstrom () NTSECURITY NU] Sent: Saturday, January 29, 2000 8:52 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: "Strip Script Tags" in FW-1 can be circumvented Hi all, The "Strip Script Tags" in FW-1 can be circumvented by adding an extra < before the <SCRIPT> tag like in this code: <HTML> <HEAD> <<SCRIPT LANGUAGE="JavaScript"> alert("hello world") </SCRIPT> </HEAD> <BODY> test </BODY> </HTML> This code will pass unchanged, and still execute in both Navigator and Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm not able to check it on version 4.0 since I don't have access to it. /Arne Vidstrom http://ntsecurity.nu
Current thread:
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)