Anonymizer, MSIE, images ...

From: Alexander K. Yezhov (admin@leader.ru)
Date: 03/29/02 

Date: Fri, 29 Mar 2002 03:43:14 +0300
From: "Alexander K. Yezhov" <admin@leader.ru>
To: bugtraq@securityfocus.com

Hello bugtraq,

  Title: Bypassing JavaScript filters
  Service: Anonymizer, similar services

  Description:

  Anonymizer offers free and commercial services that allow to browse
  web safely. Since JavaScript can be dangerous, all script blocks and
  events are cut from html.

  Problem N1:

  The problem is that not all events are under control. Some MSIE
  events can bypass filters and let remote server to get real IP of
  the client without notice (if the window is framed - "anon" prefix
  will stay in the URL).

  Example:

  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  Test N1 uses onbeforeunload event that initiated with meta refresh
  tag. You can also embed JavaScript into MARQUEE onbounce event (if
  the behavior set to ALTERNATE).

  Problem N2:

  If image source points to "mailto:" and the page is loaded with
  Anonymizer, the "src" will be prefixed and Error event will occur.
  That also lets remote server to get real IP of the client without
  notice. To avoid loading e-mail client when the page is browsed
  without Anonymizer, a lot of tricks can be used.

  Example:

  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  Test N2 uses <img src="mailto:a" height=1 width=1 onError=""> code
  to redirect the visitor.

  Tested on:

  Free service, Commercial service.

  Problem status:
  
  Anonymizer has been contacted and patched already - MSIE events
  aren't working any more. I believe img problem will be fixed by the
  time this message is published.

Best regards, Alexander

-----------------------------------------------------------------------
         MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
  http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------

Relevant Pages

  • Correction: Re: Deanonymizing SafeWeb Users
    ... Anonymizer Inc. ... > possible manipulation of JavaScript. ... > languages can not prevent all instances of these attacks. ... > SafeWeb does not stop The Pull's file reading exploit. ...
    (Bugtraq)
  • Re: Deanonymizing SafeWeb Users
    ... possible manipulation of JavaScript. ... languages can not prevent all instances of these attacks. ... SafeWeb does not stop The Pull's file reading exploit. ... trademark of Anonymizer Inc. ...
    (Bugtraq)
  • Re: Bypassing javascript filters - problem N3.
    ... known attacks against webmails. ... I successfully injected unfiltered javascript into a web page browsed ... I wish good luck to Anonymizer, because I what they are trying to do is ... > code could be executed after parsing the html by Anonymizer. ...
    (Bugtraq)
  • Bypassing javascript filters - problem N3.
    ... Title: Bypassing JavaScript filters ... Anonymizer offers free and commercial services that allow to browse ... code could be executed after parsing the html by Anonymizer. ...
    (Bugtraq)