[13673] in bugtraq
Re: "Strip Script Tags" in FW-1 can be circumvented
daemon@ATHENA.MIT.EDU (Arne Vidstrom)
Wed Feb 2 17:28:27 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <JKEHIOKGPMHGBMCCADAIEENECAAA.arne.vidstrom@ntsecurity.nu>
Date: Tue, 1 Feb 2000 19:19:25 +0100
Reply-To: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
From: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
The reason to strip script tags would be to protect users from hostile code
which the browsers can't handle themselves. Adding this feature to a
firewall at all, but not making it work properly in all cases (probably a
hopeless task anyway...) makes a false sense of security, which often is
worse than no security at all.
/Arne Vidstrom
http://ntsecurity.nu
> To: BugTraq
> Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
> Date: Mon Jan 31 2000 00:28:29
> Author: Jonah Kowall
>
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer. These tags shouldn't be parsed, because
> they are malformed. The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.
