[NEWS] Anonymizer and MSIE Make Up a Bad Combination

From: support@securiteam.com
Date: 03/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Sun, 31 Mar 2002 15:13:57 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Anonymizer and MSIE Make Up a Bad Combination
------------------------------------------------------------------------

SUMMARY

Anonymizer offers a free and a commercial service that allows browsing the
web safely. Since JavaScript can be dangerous, all script blocks and
events are cut from HTML. However, multiple problems have been found when
it comes to the way certain code pieces are handled when they are found
inside things like Images allowing them to bypass current filtering
techniques.

DETAILS

Problem #1:
Some MSIE events can bypass filters and let remote server to get real IP
of the client without notice (if the window is framed - "anon" prefix will
stay in the URL).

Example:
http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

Test #1 uses onBeforeUnload event that initiated with META refresh tag.
You can also embed JavaScript into MARQUEE onBounce event (if the behavior
set to ALTERNATE).

Problem #2:
If image source points to "mailto:" and the page is loaded with
Anonymizer, the "SRC" will be prefixed and Error event will occur. That
also lets remote server to get real IP of the client without notice. To
avoid loading e-mail client when the page is browsed without Anonymizer,
many tricks can be used.

Example:
http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

Test #2 uses <img src="mailto:a" height=1 width=1 onError=""> code to
redirect the visitor.

Problem status:
Anonymizer has been contacted and patched already - MSIE events do not
work any more. The Image vulnerability should have been patched by the
time this advisory is released.

ADDITIONAL INFORMATION

The information has been provided by <mailto:admin@leader.ru> Alexander
K. Yezhov.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.