Hello bugtraq,

  Title: Bypassing JavaScript filters
  Service: Anonymizer, similar services

  Description:

  Anonymizer offers free and commercial services that allow to browse
  web safely. Since JavaScript can be dangerous, all script blocks and
  events are cut from html.

  Problem N1:

  The problem is that not all events are under control. Some MSIE
  events can bypass filters and let remote server to get real IP of
  the client without notice (if the window is framed - "anon" prefix
  will stay in the URL).

  Example:

  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  Test N1 uses onbeforeunload event that initiated with meta refresh
  tag. You can also embed JavaScript into MARQUEE onbounce event (if
  the behavior set to ALTERNATE).

  Problem N2:

  If image source points to "mailto:" and the page is loaded with
  Anonymizer, the "src" will be prefixed and Error event will occur.
  That also lets remote server to get real IP of the client without
  notice. To avoid loading e-mail client when the page is browsed
  without Anonymizer, a lot of tricks can be used.

  Example:

  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  Test N2 uses <img src="mailto:a" height=1 width=1 onError=""> code
  to redirect the visitor.

  Tested on:

  Free service, Commercial service.

  Problem status:
  
  Anonymizer has been contacted and patched already - MSIE events
  aren't working any more. I believe img problem will be fixed by the
  time this message is published.

Best regards, Alexander

-----------------------------------------------------------------------
         MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
  http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]