Home page logo

bugtraq logo Bugtraq mailing list archives

Re: "Strip Script Tags" in FW-1 can be circumvented
From: bbl () AVENIR NO (Bjørnar B. Larsen)
Date: Tue, 1 Feb 2000 11:10:09 +0100

Arne Vidstrøm wrote:
The "Strip Script Tags" in FW-1 can be circumvented by adding 
an extra <
before the <SCRIPT> tag


I'm not able to check it on version 4.0 since 
I don't have access to it.

I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as
it's supposed to do. That is, 
is altered into
<<SCRIP! LANGUAGE="JavaScript">
which the browsers will disregard. It's a bit silly that the alert("hello
world") isn't cut away, though, so "< alert("hello world") test" is what
your page looks like in web-browsers.


:) Bjørnar

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]