Re: "Strip Script Tags" in FW-1 can be circumvented

From: Bjørnar B. Larsen (bblat_private)
Date: Tue Feb 01 2000 - 02:10:09 PST

Next message: TAKAGI, Hiromitsu: "`Microsoft VM for Java' allows reading local files using"

Previous message: Kevin Kadow: "Security issues with S&P ComStock multiCSP (Linux)"
Next in thread: Miles Sabin: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Arne Vidstrøm wrote:
> The "Strip Script Tags" in FW-1 can be circumvented by adding 
> an extra <
> before the <SCRIPT> tag

(.......)

> I'm not able to check it on version 4.0 since 
> I don't have access to it.

I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as
it's supposed to do. That is, 
<<SCRIPT LANGUAGE="JavaScript">
is altered into
<<SCRIP! LANGUAGE="JavaScript">
which the browsers will disregard. It's a bit silly that the alert("hello
world") isn't cut away, though, so "< alert("hello world") test" is what
your page looks like in web-browsers.

Regards,

:) Bjørnar

Next message: TAKAGI, Hiromitsu: "`Microsoft VM for Java' allows reading local files using"
Previous message: Kevin Kadow: "Security issues with S&P ComStock multiCSP (Linux)"
Next in thread: Miles Sabin: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:50 PDT