[NEWS] Privacy Exposure by Bypassing the HTTP Proxy

From: support@securiteam.com
Date: 02/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 15 Feb 2002 20:24:26 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Privacy Exposure by Bypassing the HTTP Proxy
------------------------------------------------------------------------

SUMMARY

Most web anonymizers rely on open http proxies or chains of proxies to
protect users' privacy. However, due to certain features within Internet
Explorer (and other browsers) it is a possible to cause the "anonymized"
browser to reveal its true IP address to disreputable sites.

DETAILS

A simple combination of JavaScript OnLoad and use of the telnet:// tag
will cause a telnet session to start up which will bypass all http
proxies.

Even if JavaScript is filtered or disabled a tag such as:
<a href=telnet://server:53 target=_new>

Will have the desirable effect.

Obviously, in cases where outbound traffic is filtered this privacy
exposure will not succeed.

Demonstration:
A non malicious example has been set up at:
 <http://www.interrorem.com/adventure> http://www.interrorem.com/adventure

This is not a new vulnerability, but is a caveat, because most people seem
to have forgotten this possible form of intrusion. This is, oddly enough,
intended behavior and should serve as a reminder that you can only rely on
places you already trust to respect your privacy. In which case you should
not need to take measures to ensure your privacy is respected.

ADDITIONAL INFORMATION

The information has been provided by <mailto:labrat@interrorem.com> Russ
Spooner.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.