This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01BF6CDF.D00664D0 Content-Type: text/plain; charset="iso-8859-1" As a former SGML Analyst with years of experience dealing with bad markup, I disagree. The firewall should always strip the <SCRIPT> tags and all text parsed in between. Web Browsers are designed to be as flexible and loose as possible to compensate for all the "hand coded" webpages around. That is why they ignore the unclosed "<" before the <SCRIPT> tag. FW-1 on the other hand is designed around strict security concerns by enforcing rigid rule sets. It should always parse out and remove <SCRIPT> tags when that rule is activated regardless of surrounding text. Obviously their parser is not capable of ignoring an unclosed "<" when it encounters the <SCRIPT> tag. -----Original Message----- From: Jonah Kowall [mailto:jkowallat_private] Sent: Monday, January 31, 2000 12:28 PM To: BUGTRAQat_private Subject: Re: "Strip Script Tags" in FW-1 can be circumvented I don't consider this a bug in FW-1, but a bug in the products navigator, and internet explorer. These tags shouldn't be parsed, because they are malformed. The firewall is stripping tags properly, but since these tags are malformed you can't expect the firewall to be able to recognize them as valid tags. -----Original Message----- From: Arne Vidstrom [mailto:arne.vidstromat_private] Sent: Saturday, January 29, 2000 8:52 AM To: BUGTRAQat_private Subject: "Strip Script Tags" in FW-1 can be circumvented Hi all, The "Strip Script Tags" in FW-1 can be circumvented by adding an extra < before the <SCRIPT> tag like in this code: <HTML> <HEAD> <<SCRIPT LANGUAGE="JavaScript"> alert("hello world") </SCRIPT> </HEAD> <BODY> test </BODY> </HTML> This code will pass unchanged, and still execute in both Navigator and Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm not able to check it on version 4.0 since I don't have access to it. /Arne Vidstrom http://ntsecurity.nu ------_=_NextPart_001_01BF6CDF.D00664D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> <HTML> <HEAD> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Diso-8859-1"> <META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version = 5.5.2448.0"> <TITLE>RE: "Strip Script Tags" in FW-1 can be = circumvented</TITLE> </HEAD> <BODY> <P><FONT SIZE=3D2>As a former SGML Analyst with years of experience = dealing with bad markup, I disagree. The firewall should always strip = the <SCRIPT> tags and all text parsed in between. Web = Browsers are designed to be as flexible and loose as possible to = compensate for all the "hand coded" webpages around. That is = why they ignore the unclosed "<" before the <SCRIPT> = tag. </FONT></P> <P><FONT SIZE=3D2>FW-1 on the other hand is designed around strict = security concerns by enforcing rigid rule sets. It should always parse = out and remove <SCRIPT> tags when that rule is activated = regardless of surrounding text. Obviously their parser is not capable = of ignoring an unclosed "<" when it encounters the = <SCRIPT> tag. </FONT></P> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Jonah Kowall [<A = HREF=3D"mailto:jkowallat_private">mailto:jkowallat_private= </A>]</FONT> <BR><FONT SIZE=3D2>Sent: Monday, January 31, 2000 12:28 PM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: Re: "Strip Script Tags" in FW-1 = can be circumvented</FONT> </P> <BR> <P> <FONT SIZE=3D2>I don't = consider this a bug in FW-1, but a bug in the products</FONT> <BR><FONT SIZE=3D2>navigator, and internet explorer. These tags = shouldn't be parsed, because</FONT> <BR><FONT SIZE=3D2>they are malformed. The firewall is stripping = tags properly, but since</FONT> <BR><FONT SIZE=3D2>these tags are malformed you can't expect the = firewall to be able to</FONT> <BR><FONT SIZE=3D2>recognize them as valid tags.</FONT> </P> <BR> <P><FONT SIZE=3D2>-----Original Message-----</FONT> <BR><FONT SIZE=3D2>From: Arne Vidstrom [<A = HREF=3D"mailto:arne.vidstromat_private">mailto:arne.vidstrom@NTSECUR= ITY.NU</A>]</FONT> <BR><FONT SIZE=3D2>Sent: Saturday, January 29, 2000 8:52 AM</FONT> <BR><FONT SIZE=3D2>To: BUGTRAQat_private</FONT> <BR><FONT SIZE=3D2>Subject: "Strip Script Tags" in FW-1 can = be circumvented</FONT> </P> <BR> <P><FONT SIZE=3D2>Hi all,</FONT> </P> <P><FONT SIZE=3D2>The "Strip Script Tags" in FW-1 can be = circumvented by adding an extra <</FONT> <BR><FONT SIZE=3D2>before the <SCRIPT> tag like in this = code:</FONT> </P> <P><FONT SIZE=3D2><HTML></FONT> <BR><FONT SIZE=3D2><HEAD></FONT> <BR><FONT SIZE=3D2><<SCRIPT = LANGUAGE=3D"JavaScript"></FONT> <BR><FONT SIZE=3D2>alert("hello world")</FONT> <BR><FONT SIZE=3D2></SCRIPT></FONT> <BR><FONT SIZE=3D2></HEAD></FONT> <BR><FONT SIZE=3D2><BODY></FONT> <BR><FONT SIZE=3D2>test</FONT> <BR><FONT SIZE=3D2></BODY></FONT> <BR><FONT SIZE=3D2></HTML></FONT> </P> <P><FONT SIZE=3D2>This code will pass unchanged, and still execute in = both Navigator and</FONT> <BR><FONT SIZE=3D2>Explorer. I tried this on version 3.0 of FW-1 (on = Windows NT 4.0) but I'm</FONT> <BR><FONT SIZE=3D2>not able to check it on version 4.0 since I don't = have access to it.</FONT> </P> <BR> <P><FONT SIZE=3D2>/Arne Vidstrom</FONT> </P> <P><FONT SIZE=3D2><A HREF=3D"http://ntsecurity.nu" = TARGET=3D"_blank">http://ntsecurity.nu></FONT> </P> </BODY> </HTML> ------_=_NextPart_001_01BF6CDF.D00664D0--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:58 PDT