Arne Vidstrøm wrote: > The "Strip Script Tags" in FW-1 can be circumvented by adding > an extra < > before the <SCRIPT> tag (.......) > I'm not able to check it on version 4.0 since > I don't have access to it. I've tried this on FW-1 version 4.0 SP4, on NT4 and it strips the code as it's supposed to do. That is, <<SCRIPT LANGUAGE="JavaScript"> is altered into <<SCRIP! LANGUAGE="JavaScript"> which the browsers will disregard. It's a bit silly that the alert("hello world") isn't cut away, though, so "< alert("hello world") test" is what your page looks like in web-browsers. I recall Georgi posting something about doing other malformed tags to cause problems with hotmail.com's javascript filtering. Does FW-1 block if you <SCRIPT L\0x41NGUAGE="JavaScript"> or all other such bastardizations thereof? I did some quick testing to make sure that IE 5.0 still accepted the tag <script L\0x41NGUAGE="JavaScript"> but I don't have access to a FW-1 wall to check its filtering. If a firewall software is going to "filter" all or desired scripting languages from web pages it can't be the position of the firewall vendor that the web browsers are processing malformed tags and they can't be expected to check for all of them. It'd be like your alarm company saying "Well that burglar cut the exposed wires we left! How can we stop that?". The firewall developers should be working with browser vendors (or put together their own testing team if the browser vendors aren't willing) to find every way that undesired code can be executed not just the "proper" way.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:02 PDT