Anonymiser.com might reveal your IP

From: Klaxon (klaxon@netcabo.pt)
Date: 11/27/01


Date: Tue, 27 Nov 2001 14:55:11 +0000
From: Klaxon <klaxon@netcabo.pt>
To: Bugtraq <bugtraq@securityfocus.com>
Subject: Anonymiser.com might reveal your IP
Message-ID: <20011127145511.D3085@endovellico.netcabo.pt>


  Hello, if this has been discussed in the past just tell me to sod off.
  While playing with proxy configurations for a machine at home I came
 across a questionable behaviour from www.anonymiser.com. I stuck netcat
 on port 80 of this machine and than surfed back to it through Anonymiser.
 I know there's a transparent proxy on my ISP and apparently it attaches
 a "Client-ip: x.x.x.x" field to all http requests. What's fun is that
 Anonymiser happily copies this field to its own http request. Actually
 it will pass along any field sent with your request, which makes sense
 for "Accept-..." stuff but is obviously a bad ideia for anything else.

-------------------------------------
[~]# nc -l -p 80

GET / HTTP/1.0
Host: foo.bar.com
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1
Accept-Charset: iso-8859-1, utf-8;q=0.66, *;q=0.66
Accept-Encoding: identity
User-Agent: Mozilla/4.78 (TuringOS; Turing Machine; 0.0)
Client-ip: X.X.X.X <------------ BOOM!
Via: HTTP/1.1 proxy-02[XXXXXXX] (Traffic-Server/3.5.7 [XXXXXXXX])
-------------------------------------

  So beware if you trust this service and there's an unknown proxy
 somewhere along the wire. Please note this experience was with
 Anonymiser.com's free service. I would like to know if anyone paying
 for it can confirm this.
  To try it: launch netcat on your port 80 (nc -l -p 80), telnet to
 www.anonymiser.com on port 80 and request your address:

[~]$ telnet www.anonymiser.com 80
Trying 168.143.112.10...
Connected to www.anonymiser.com.
Escape character is '^]'.
GET http://your.ip.goes.here HTTP/1.0
Foo-bar: it hurts

 Netcat should spit this:

[~]# nc -l -p 80
GET / HTTP/1.0
Host: your.ip.goes.here
Foo-bar: it hurts
Connection: Keep-Alive

 If Foo-bar is there so can a Client-ip be.

-- 
EOF



Relevant Pages

  • Re: HTTP Redirector: Send To Requested Web Server
    ... If the above setting IS checked and pointing to ISA, ... it makes sense for users to have the proxy settings enabled ... Until I disabled the HTTP Redirector, this proxy setting in the browser ... > proxying non-proxy HTTP requests (ie secureNAT and Firewall Client direct ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: Netcat through Squid HTTP Proxy
    ... it has to be a multiple level protection idea. ... If you allow tunneling on 80 and 443, then Stunnel and other things will ... But it is better than it was before, and to pass the proxy ... The HTTP requests can be sent via an HTTP ...
    (Pen-Test)
  • How generate my own access log ?
    ... some http requests to not only the admin point of the proxy server but ... about setting up a proxy on my own machine and pointing internet ... Proxy server is Linux based running unknown RH. ...
    (comp.os.linux.security)
  • Unexplainable delay in IE while using LSP
    ... I am using an LSP through which all TCP traffic is routed. ... checks whether the HTTP requests are set to a proxy and if not set it. ... If the proxy is already set, processing does not take much time. ... This delay is not there in case of Netscape. ...
    (microsoft.public.win32.programmer.networks)