[13680] in bugtraq
Re: "Strip Script Tags" in FW-1 can be circumvented
daemon@ATHENA.MIT.EDU (sporty o'one)
Wed Feb 2 18:47:44 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.21.0002011254170.14080-100000@sporty.org>
Date: Tue, 1 Feb 2000 13:00:09 +0000
Reply-To: "sporty o'one" <sporty@SPORTY.ORG>
From: "sporty o'one" <sporty@SPORTY.ORG>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <8F04455EA3A3D21195A600104B72E3861E0182@yap.cinteractive.com>
considering how loose type the language is, and how much error correction
is needed in html browsers, it is more of a firewall problem. Using a
string dtd for html for most people would fail miserably right off the
bat.
Besides, parsing for <.?*> recursively isn't the most intensive task in
world. Proof: any web browser does it...
On Mon, 31 Jan 2000, Jonah Kowall wrote:
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer. These tags shouldn't be parsed, because
> they are malformed. The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.
>
>
> -----Original Message-----
> From: Arne Vidstrom [mailto:arne.vidstrom@NTSECURITY.NU]
> Sent: Saturday, January 29, 2000 8:52 AM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: "Strip Script Tags" in FW-1 can be circumvented
>
>
> Hi all,
>
> The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <
> before the <SCRIPT> tag like in this code:
>
> <HTML>
> <HEAD>
> <<SCRIPT LANGUAGE="JavaScript">
> alert("hello world")
> </SCRIPT>
> </HEAD>
> <BODY>
> test
> </BODY>
> </HTML>
>
> This code will pass unchanged, and still execute in both Navigator and
> Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm
> not able to check it on version 4.0 since I don't have access to it.
>
>
> /Arne Vidstrom
>
> http://ntsecurity.nu
>
