bblAVENIR.NO

• Next message: Russ: "Re: SyGate 3.11 Port 7323 / Remote Admin hole"
• Previous message: Greg A. Woods: "Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)"
• Maybe in reply to: Arne Vidstrom: ""Strip Script Tags" in FW-1 can be circumvented"
• Next in thread: Bret Piatt: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Next in thread: Losinski, Robert: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Maybe reply: Bjørnar B. Larsen: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Reply: Bret Piatt: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Arne Vidstrøm wrote:
> The "Strip Script Tags" in FW-1 can be circumvented by adding
> an extra <
> before the <SCRIPT> tag

(.......)

> I'm not able to check it on version 4.0 since
> I don't have access to it.

I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as
it's supposed to do. That is,
<<SCRIPT LANGUAGE="JavaScript">
is altered into
<<SCRIP! LANGUAGE="JavaScript">
which the browsers will disregard. It's a bit silly that the alert("hello
world") isn't cut away, though, so "< alert("hello world") test" is what
your page looks like in web-browsers.

Regards,

:) Bjørnar

• Next message: Russ: "Re: SyGate 3.11 Port 7323 / Remote Admin hole"
• Previous message: Greg A. Woods: "Re: Future of s/key (Re: S/Key & OPIE Database Vulnerability)"
• Maybe in reply to: Arne Vidstrom: ""Strip Script Tags" in FW-1 can be circumvented"
• Next in thread: Bret Piatt: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Next in thread: Losinski, Robert: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Maybe reply: Bjørnar B. Larsen: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Reply: Bret Piatt: "Re: "Strip Script Tags" in FW-1 can be circumvented"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]