Bugtraq: Re: "Strip Script Tags" in FW-1 can be circumvented

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: "Strip Script Tags" in FW-1 can be circumvented

From: arne.vidstrom () NTSECURITY NU (Arne Vidstrom)
Date: Tue, 1 Feb 2000 19:19:25 +0100


The reason to strip script tags would be to protect users from hostile code
which the browsers can't handle themselves. Adding this feature to a
firewall at all, but not making it work properly in all cases (probably a
hopeless task anyway...) makes a false sense of security, which often is
worse than no security at all.

/Arne Vidstrom

http://ntsecurity.nu

To: BugTraq
Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
Date: Mon Jan 31 2000 00:28:29
Author: Jonah Kowall

I don't consider this a bug in FW-1, but a bug in the products
navigator, and internet explorer.  These tags shouldn't be parsed, because
they are malformed.  The firewall is stripping tags properly, but since
these tags are malformed you can't expect the firewall to be able to
recognize them as valid tags.

By Date By Thread

Current thread:

Administrivia, (continued)
- Administrivia Elias Levy (Feb 03)
- Re: "Strip Script Tags" in FW-1 can be circumvented Bjørnar B. Larsen (Feb 01)
  - Re: "Strip Script Tags" in FW-1 can be circumvented Bret Piatt (Feb 02)
- Re: "Strip Script Tags" in FW-1 can be circumvented Miles Sabin (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Losinski, Robert (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Arne Vidstrom (Feb 01)
- Re: "Strip Script Tags" in FW-1 can be circumvented Jonah Kowall (Feb 02)