considering how loose type the language is, and how much error correction is needed in html browsers, it is more of a firewall problem. Using a string dtd for html for most people would fail miserably right off the bat. Besides, parsing for <.?*> recursively isn't the most intensive task in world. Proof: any web browser does it... On Mon, 31 Jan 2000, Jonah Kowall wrote: > I don't consider this a bug in FW-1, but a bug in the products > navigator, and internet explorer. These tags shouldn't be parsed, because > they are malformed. The firewall is stripping tags properly, but since > these tags are malformed you can't expect the firewall to be able to > recognize them as valid tags. > > > -----Original Message----- > From: Arne Vidstrom [mailto:arne.vidstromat_private] > Sent: Saturday, January 29, 2000 8:52 AM > To: BUGTRAQat_private > Subject: "Strip Script Tags" in FW-1 can be circumvented > > > Hi all, > > The "Strip Script Tags" in FW-1 can be circumvented by adding an extra < > before the <SCRIPT> tag like in this code: > > <HTML> > <HEAD> > <<SCRIPT LANGUAGE="JavaScript"> > alert("hello world") > </SCRIPT> > </HEAD> > <BODY> > test > </BODY> > </HTML> > > This code will pass unchanged, and still execute in both Navigator and > Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.0) but I'm > not able to check it on version 4.0 since I don't have access to it. > > > /Arne Vidstrom > > http://ntsecurity.nu >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:33:07 PDT