Hello bugtraq, Title: Bypassing JavaScript filters Service: Anonymizer, similar services Description: Anonymizer offers free and commercial services that allow to browse web safely. Since JavaScript can be dangerous, all script blocks and events are cut from html. Problem N1: The problem is that not all events are under control. Some MSIE events can bypass filters and let remote server to get real IP of the client without notice (if the window is framed - "anon" prefix will stay in the URL). Example: http://anon.free.anonymizer.com/http://tools-on.net/you.shtml Test N1 uses onbeforeunload event that initiated with meta refresh tag. You can also embed JavaScript into MARQUEE onbounce event (if the behavior set to ALTERNATE). Problem N2: If image source points to "mailto:" and the page is loaded with Anonymizer, the "src" will be prefixed and Error event will occur. That also lets remote server to get real IP of the client without notice. To avoid loading e-mail client when the page is browsed without Anonymizer, a lot of tricks can be used. Example: http://anon.free.anonymizer.com/http://tools-on.net/you.shtml Test N2 uses <img src="mailto:a" height=1 width=1 onError=""> code to redirect the visitor. Tested on: Free service, Commercial service. Problem status: Anonymizer has been contacted and patched already - MSIE events aren't working any more. I believe img problem will be fixed by the time this message is published. Best regards, Alexander ----------------------------------------------------------------------- MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000 http://leader.ru http://tools-on.net (Security & Privacy on the Net) -----------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Mar 29 2002 - 13:23:59 PST