Re: "Strip Script Tags" in FW-1 can be circumvented

[sporty () SPORTY ORG (sporty o'one)]

considering how loose type the language is, and how much error correction
is needed in html browsers, it is more of a firewall problem.  Using a
string dtd for html for most people would fail miserably right off the
bat.

Besides, parsing for <.?*> recursively isn't the most intensive task in
world.  Proof: any web browser does it...

On Mon, 31 Jan 2000, Jonah Kowall wrote:

>       I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer.  These tags shouldn't be parsed, because
> they are malformed.  The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.
>
>
> -----Original Message-----
> From: Arne Vidstrom [mailto:arne.vidstrom () NTSECURITY NU]
> Sent: Saturday, January 29, 2000 8:52 AM
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: "Strip Script Tags" in FW-1 can be circumvented
>
>
> Hi all,
>
> The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <
> before the <SCRIPT> tag like in this code:
>
> <HTML>
> <HEAD>
> <<SCRIPT LANGUAGE="JavaScript">
> alert("hello world")
> </SCRIPT>
> </HEAD>
> <BODY>
> test
> </BODY>
> </HTML>
>
> This code will pass unchanged, and still execute in both Navigator and
> Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm
> not able to check it on version 4.0 since I don't have access to it.
>
>
> /Arne Vidstrom
>
> http://ntsecurity.nu