Anonymized ? Not yet. - Part II

From: Alexander K. Yezhov (adminat_private)
Date: Thu Jun 14 2001 - 10:04:04 PDT

Next message: Przemyslaw Frasunek: "Re: OpenBSD 2.9,2.8 local root compromise"

Previous message: Ben Laurie: "Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Next in thread: joshuaat_private: "Re: Anonymized"
Reply: joshuaat_private: "Re: Anonymized"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear bugtraq readers,

The  JavaScript  code  posted  before raised a lot of questions. Below
you'll find some answers.

Q:  Does the page have to get a visitor to click a link for the script
to run ?

A:  Script  can  be  started like all the scripts (just insert it into
html  and  that's  all).  It  doesn't  require  any  interaction  with
visitors.  On  my Tools-On.Net site the click just leads you to one of
the tools that displays the information about the visitor (to make the
demonstration more complete).

Q: How it works ? Is alert() safe ?

A:  Alert() is safe. But the code can include any other instruction as
well.  The  JavaScript  on  the  demo  page  just checks if the URL is
"chained"  and  then  changes  document.location  to the same page but
without anonymizing. NOTE: the verification is needed only because the
location  will  be  changed  to  the  _same_ page. This step (checking
current  document.location)  can be skipped if the site redirects user
to a different page.

Q: Does SafeWEB.com have the same issues?

A:  I had a look at SafeWeb today. Since it uses different approach to
isolate  dangerous  JavaScript  instructions the demo code won't work.
SafeWeb  doesn't  let  the  script to verify if the URL is chained and
correctly intercepts any attempts to change document.location or issue
location.replace  function.  But  the  answer is ... "yes". To let the
demo   script   verify   the  original  URL  we'll  have  to  override
fugunet_fixloc  function.  Then, to redirect current frame to unsecure
location we can use "assign" method.

The current "redirect" demo is available at:

http://tools-on.net/privacy.shtml

(click on the "Go" button below "Holmes/Who" and look at the report)

You can also use direct (temp.) link to the "Who" tool:

http://tools-on.net/privacy.shtml?o=who&t=4557701001675&


The demo works for Anonymizer as well as for SafeWeb.

Best regards, Alexander

----------------------------------------------------------------------
                            MCP+I, MCSE
       http://Tools-On.Net - Free tools for connected people.
             http://Leader.Ru - Leader's Smart Guide.
----------------------------------------------------------------------

Next message: Przemyslaw Frasunek: "Re: OpenBSD 2.9,2.8 local root compromise"
Previous message: Ben Laurie: "Re: Bugtraq ID 2503 : Apache Artificially Long Slash Path Directory Listing Exploit"
Next in thread: joshuaat_private: "Re: Anonymized"
Reply: joshuaat_private: "Re: Anonymized"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 14 2001 - 13:16:25 PDT