[13671] in bugtraq
Re: "Strip Script Tags" in FW-1 can be circumvented
daemon@ATHENA.MIT.EDU (Jonah Kowall)
Wed Feb 2 17:05:10 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <8F04455EA3A3D21195A600104B72E3861E01A7@yap.cinteractive.com>
Date: Wed, 2 Feb 2000 10:08:37 -0500
Reply-To: Jonah Kowall <jkowall@CINTERACTIVE.COM>
From: Jonah Kowall <jkowall@CINTERACTIVE.COM>
X-To: "ark@eltex.ru" <ark@eltex.ru>
To: BUGTRAQ@SECURITYFOCUS.COM
Okay I have gotten 100x of these messages... all I have to say was that
there are 1000 possibilities for malforming html tags in some sense, and
what you consider valid html must also be explored. This isn't an issue in
Firewall 1 4.0 SP5. It apparently has been fixed sometime between the 4.5
year old version he was using, and the current release.
-----Original Message-----
From: ark@eltex.ru [mailto:ark@eltex.ru]
Sent: Wednesday, February 02, 2000 5:56 AM
To: jkowall@CINTERACTIVE.COM
Cc: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
-----BEGIN PGP SIGNED MESSAGE-----
nuqneH,
One of most important reasons to use firewall is to avoid client bugs from
being abused. It _is_ definitely a bug in FW-1.
Jonah Kowall <jkowall@CINTERACTIVE.COM> said :
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer. These tags shouldn't be parsed, because
> they are malformed. The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.
>
>
> -----Original Message-----
> From: Arne Vidstrom [mailto:arne.vidstrom@NTSECURITY.NU]
> Sent: Saturday, January 29, 2000 8:52 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: "Strip Script Tags" in FW-1 can be circumvented
>
>
> Hi all,
>
> The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <
> before the <SCRIPT> tag like in this code:
>
> <HTML>
> <HEAD>
> <<SCRIPT LANGUAGE="JavaScript">
> alert("hello world")
> </SCRIPT>
> </HEAD>
> <BODY>
> test
> </BODY>
> </HTML>
>
> This code will pass unchanged, and still execute in both Navigator and
> Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm
> not able to check it on version 4.0 since I don't have access to it.
>
>
> /Arne Vidstrom
>
> http://ntsecurity.nu
>
_ _ _ _ _ _ _
{::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_
(##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_|
[||] [||] [||] Do i believe in Bible? Hell,man,i've seen one!
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQCVAwUBOJgNSKH/mIJW9LeBAQFs4gP+PPq2cUhySREF0VETw6UnK3GXCJ5e3qdO
zlS2mB5w0cF+5DNNbwriWZ1MMyFN4/6Q/xMFC/ooa2+Il/BDoZCzhp1qL4Cw7Xq9
kutraZD/7+77E4u2gFirG/mmGfzsxALtNLtajTacmnAQ1evrMzeD4dGN6pdiYVRx
zrvp+hHwVSA=
=uv2x
-----END PGP SIGNATURE-----
