Firewall-1 includes the ability to alter script tags in HTML pages before passing them to the client's browser. This alteration invalidates the tag, rendering the script unexecutable by the browser. In version 3, this function can be bypassed by adding an extra opening angle bracket. The tag will be left unmodified, and the browser will be able to execute the contained script. Hostile script could lead to a remote compromise of the client system.
Firewall-1 version 4 will alter the tag as expected.
alert("<<script> tag succesfully passed!")
Click <A HREF="/vdb/bottom.html?section=exploit&vid=954">here</A> to return to vulnerability listing.
Check Point FireWall-1 contains a flaw that allows a remote attacker to use malformed script tags that will bypass the firewall filter. The issue is due to Firewall-1 not properly recognizing certain malformed script tags and acting on them. Rather than block the traffic as it should, the firewall passes it.
Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.