considering how loose type the language is, and how much error correction
is needed in html browsers, it is more of a firewall problem. Using a
string dtd for html for most people would fail miserably right off the
bat.
Besides, parsing for <.?*> recursively isn't the most intensive task in
world. Proof: any web browser does it...
On Mon, 31 Jan 2000, Jonah Kowall wrote:
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer. These tags shouldn't be parsed, because
> they are malformed. The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.
>
>
> -----Original Message-----
> From: Arne Vidstrom [mailto:arne.vidstrom_at_NTSECURITY.NU]
> Sent: Saturday, January 29, 2000 8:52 AM
> To: BUGTRAQ_at_SECURITYFOCUS.COM
> Subject: "Strip Script Tags" in FW-1 can be circumvented
>
>
> Hi all,
>
> The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <
> before the <SCRIPT> tag like in this code:
>
> <HTML>
> <HEAD>
> <<SCRIPT LANGUAGE="JavaScript">
> alert("hello world")
> </SCRIPT>
> </HEAD>
> <BODY>
> test
> </BODY>
> </HTML>
>
> This code will pass unchanged, and still execute in both Navigator and
> Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm
> not able to check it on version 4.0 since I don't have access to it.
>
>
> /Arne Vidstrom
>
> http://ntsecurity.nu
>
Received on Feb 02 2000
Intro
