|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Alexander K. Yezhov (admin
leader.ru)Date: Mon Apr 01 2002 - 13:37:49 CST
Hello bugtraq,
Title: Bypassing JavaScript filters
Service: Anonymizer, maybe similar services
Description:
Anonymizer offers free and commercial services that allow to browse
web safely. Since JavaScript can be dangerous, all script blocks and
events are cut from html.
Problem N3:
Maybe you remember the problem I've reported in 2001 - JavaScript
code could be executed after parsing the html by Anonymizer. The
same principle of "JavaScript inside JavaScript" gave me the working
example of redirecting Anonymizer users recently.
Demo is available as Test N3 at
http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
The part of the code before parsing:
onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970
onLoad="location='unprotected_location';"
The same code after parsing:
onLoad="location='unprotected_location';"
Errors generated for visitors without Anonymizer are suppressed by
window.onError handler.
Problem status:
Anonymizer has been contacted and patched already.
Best regards, Alexander
-----------------------------------------------------------------------
MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]