Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: "Strip Script Tags" in FW-1 can be circumvented
From: arne.vidstrom () NTSECURITY NU (Arne Vidstrom)
Date: Tue, 1 Feb 2000 19:19:25 +0100


The reason to strip script tags would be to protect users from hostile code
which the browsers can't handle themselves. Adding this feature to a
firewall at all, but not making it work properly in all cases (probably a
hopeless task anyway...) makes a false sense of security, which often is
worse than no security at all.

/Arne Vidstrom

http://ntsecurity.nu

To: BugTraq
Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
Date: Mon Jan 31 2000 00:28:29
Author: Jonah Kowall

I don't consider this a bug in FW-1, but a bug in the products
navigator, and internet explorer.  These tags shouldn't be parsed, because
they are malformed.  The firewall is stripping tags properly, but since
these tags are malformed you can't expect the firewall to be able to
recognize them as valid tags.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]