COMMAND
Strip Script Tags
SYSTEMS AFFECTED
FW-1
PROBLEM
Arne Vidstrom found following. The "Strip Script Tags" in FW-1
can be circumvented by adding an extra < before the <SCRIPT> tag
like in this code:
<HTML>
<HEAD>
<<SCRIPT LANGUAGE="JavaScript">
alert("hello world")
</SCRIPT>
</HEAD>
<BODY>
test
</BODY>
</HTML>
This code will pass unchanged, and still execute in both Navigator
and Explorer. Arne tried this on version 3.0 of FW-1 (on Windows
NT 4.o) but he was not able to check it on version 4.0 since he
don't have access to it.
Strictly speaking the _tags_ aren't malformed. The the loose
'<' preceeding the tag renders the document as a whole non-well
formed, which, according to the HTML REC, means that all bets are
off and user agents are allowed to interpret the doc as they
please. Most browsers will make an effort to try and make sense
of HTML crud like this rather than rejecting it completely.
That's reasonable given how much junk there is out there which
passes for HTML. The upshot is that any firewall product which
attempts to interpret the stuff which passes through it has to be
sensitive to the way that the end recipent is likely to behave.
If it can't cope with the way browsers quite legitimately handle
stuff that's strictly speaking broken, then it simply isn't up to
snuff and should be fixed; or it should only pass stuff which is
valid (which means it'd have to validate on the fly); or it
shouldn't claim to be a 100% reliable filter.
SOLUTION
This was tested on on FW-1 version 4.0 SP4, on NT4 and it strips
the code as it's supposed to do. That is,
<<SCRIPT LANGUAGE="JavaScript">
is altered into
<<SCRIP! LANGUAGE="JavaScript">
which the browsers will disregard. It's a bit silly that the
alert("hello world") isn't cut away, though, so "< alert("hello
world") test" is what your page looks like in web-browsers.
This isn't an issue in Firewall 1 4.0 SP5 also. It apparently
has been fixed sometime between the 4.5 year old version he was
using, and the current release.