NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
From: Jonah Kowall (jkowallCINTERACTIVE.COM)
Date: Mon Jan 31 2000 - 13:28:29 CST

Next message: Dug Song: "Re: Tempfile vulnerabilities"
Previous message: Aleph One: "New Allaire Security Zone Bulletin"
Maybe in reply to: Arne Vidstrom: ""Strip Script Tags" in FW-1 can be circumvented"
Next in thread: James Lin: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Next in thread: Bjørnar B. Larsen: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Maybe reply: Jonah Kowall: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Reply: James Lin: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Reply: sporty o'one: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I don't consider this a bug in FW-1, but a bug in the products
navigator, and internet explorer. These tags shouldn't be parsed, because
they are malformed. The firewall is stripping tags properly, but since
these tags are malformed you can't expect the firewall to be able to
recognize them as valid tags.

-----Original Message-----
From: Arne Vidstrom [mailto:arne.vidstromNTSECURITY.NU]
Sent: Saturday, January 29, 2000 8:52 AM
To: BUGTRAQSECURITYFOCUS.COM
Subject: "Strip Script Tags" in FW-1 can be circumvented

Hi all,

The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <
before the <SCRIPT> tag like in this code:

<HTML>
<HEAD>
<<SCRIPT LANGUAGE="JavaScript">
alert("hello world")
</SCRIPT>
</HEAD>
<BODY>
test
</BODY>
</HTML>

This code will pass unchanged, and still execute in both Navigator and
Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm
not able to check it on version 4.0 since I don't have access to it.

/Arne Vidstrom

http://ntsecurity.nu

Next message: Dug Song: "Re: Tempfile vulnerabilities"
Previous message: Aleph One: "New Allaire Security Zone Bulletin"
Maybe in reply to: Arne Vidstrom: ""Strip Script Tags" in FW-1 can be circumvented"
Next in thread: James Lin: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Next in thread: Bjørnar B. Larsen: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Maybe reply: Jonah Kowall: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Reply: James Lin: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Reply: sporty o'one: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]