Re: "Strip Script Tags" in FW-1 can be circumvented

From: Arne Vidstrom (arne.vidstromat_private)
Date: Tue Feb 01 2000 - 10:19:25 PST

Next message: Michal Zalewski: "no comment"

Previous message: Dave Dittrich: "Re: Req. Clarification on Stacheldraht Analysis (fwd)"
Next in thread: Bret Piatt: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The reason to strip script tags would be to protect users from hostile code
which the browsers can't handle themselves. Adding this feature to a
firewall at all, but not making it work properly in all cases (probably a
hopeless task anyway...) makes a false sense of security, which often is
worse than no security at all.

/Arne Vidstrom

http://ntsecurity.nu


> To: BugTraq
> Subject: Re: "Strip Script Tags" in FW-1 can be circumvented
> Date: Mon Jan 31 2000 00:28:29
> Author: Jonah Kowall
>
> I don't consider this a bug in FW-1, but a bug in the products
> navigator, and internet explorer.  These tags shouldn't be parsed, because
> they are malformed.  The firewall is stripping tags properly, but since
> these tags are malformed you can't expect the firewall to be able to
> recognize them as valid tags.

Next message: Michal Zalewski: "no comment"
Previous message: Dave Dittrich: "Re: Req. Clarification on Stacheldraht Analysis (fwd)"
Next in thread: Bret Piatt: "Re: "Strip Script Tags" in FW-1 can be circumvented"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:32:59 PDT