[13662] in bugtraq
Re: "Strip Script Tags" in FW-1 can be circumvented
daemon@ATHENA.MIT.EDU (Miles Sabin)
Wed Feb 2 15:23:12 2000
Message-Id: <AA4C152BA2F9D211B9DD0008C79F760A67529C@odin.cromwellmedia.co.uk>
Date: Tue, 1 Feb 2000 18:06:37 -0000
Reply-To: Miles Sabin <msabin@CROMWELLMEDIA.CO.UK>
From: Miles Sabin <msabin@CROMWELLMEDIA.CO.UK>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Jonah Kowall wrote,
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer. These tags shouldn't be
> parsed, because they are malformed. The firewall is stripping
> tags properly, but since these tags are malformed you can't
> expect the firewall to be able to recognize them as valid
> tags.
I disagree ...
Strictly speaking the _tags_ aren't malformed. The the loose
'<' preceeding the tag renders the document as a whole non-
well formed, which, according to the HTML REC, means that all
bets are off and user agents are allowed to interpret the
doc as they please. Most browsers will make an effort to try and
make sense of HTML crud like this rather than rejecting it
completely. That's reasonable given how much junk there is out
there which passes for HTML.
The upshot is that any firewall product which attempts to
interpret the stuff which passes through it has to be sensitive
to the way that the end recipent is likely to behave. If it
can't cope with the way browsers quite legitimately handle stuff
that's strictly speaking broken, then it simply isn't up to
snuff and should be fixed; or it should only pass stuff which is
valid (which means it'd have to validate on the fly); or it
shouldn't claim to be a 100% reliable filter.
Cheers,
Miles
--
Miles Sabin Cromwell Media
Internet Systems Architect 5/6 Glenthorne Mews
+44 (0)20 8817 4030 London, W6 0LJ, England
msabin@cromwellmedia.com http://www.cromwellmedia.com/
