Bugtraq: Re: "Strip Script Tags" in FW-1 can be circumvented

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: "Strip Script Tags" in FW-1 can be circumvented

From: bbl () AVENIR NO (Bjørnar B. Larsen)
Date: Tue, 1 Feb 2000 11:10:09 +0100


Arne VidstrÃ¸m wrote:

The "Strip Script Tags" in FW-1 can be circumvented by adding 
an extra <
before the <SCRIPT> tag


(.......)

I'm not able to check it on version 4.0 since 
I don't have access to it.


I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as
it's supposed to do. That is, 
<<SCRIPT LANGUAGE="JavaScript">
is altered into
<<SCRIP! LANGUAGE="JavaScript">
which the browsers will disregard. It's a bit silly that the alert("hello
world") isn't cut away, though, so "< alert("hello world") test" is what
your page looks like in web-browsers.

Regards,

:) BjÃ¸rnar

By Date By Thread

Current thread:

Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Jan 31)
- Re: "Strip Script Tags" in FW-1 can be circumvented sporty o'one (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented James Lin (Feb 01)
- Administrivia Elias Levy (Feb 03)
- <Possible follow-ups>
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
  - Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)