mailing list archives
Re: "Strip Script Tags" in FW-1 can be circumvented
From: dknight () CSUCHICO EDU (Bret Piatt)
Date: Wed, 2 Feb 2000 08:44:52 -0800
Arne VidstrÃ¸m wrote:
The "Strip Script Tags" in FW-1 can be circumvented by adding
an extra <
before the <SCRIPT> tag
I'm not able to check it on version 4.0 since
I don't have access to it.
I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as
it's supposed to do. That is,
is altered into
which the browsers will disregard. It's a bit silly that the alert("hello
world") isn't cut away, though, so "< alert("hello world") test" is what
your page looks like in web-browsers.
I recall Georgi posting something about doing other malformed tags to
such bastardizations thereof? I did some quick testing to make sure
but I don't have access to a FW-1 wall to check its filtering.
If a firewall software is going to "filter" all or desired scripting
from web pages it can't be the position of the firewall vendor that the web
browsers are processing malformed tags and they can't be expected to check
for all of them. It'd be like your alarm company saying "Well that burglar
cut the exposed wires we left! How can we stop that?". The firewall
developers should be working with browser vendors (or put together their
own testing team if the browser vendors aren't willing) to find every way
that undesired code can be executed not just the "proper" way.