Anonymizer Anonymous Web Browsing Service Fails to Block Some Javascript, Allowing Javascript to Disclose the Anonymous User's Information
|
|
SecurityTracker Alert ID: 1001743 |
|
SecurityTracker URL: http://securitytracker.com/id/1001743
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 13 2001
|
Impact:
Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
|
Description:
A vulnerability has been reported in the Anonymizer.com anonymous web proxy service. The security hole allows Javascript to pass through the proxy service. Javascript applications embedded within a web page could disclose information about a user's true IP address, browsing software, operating system, and web plugins.
Anonymizer changes Javascript tags to comment them out so that they will not be executed by the browser. However, the proxy service does not properly process nested scripts. As a result, a valid script can be passed through the proxy.
For example, the following code can be passed through the proxy:
<!--
<script>//--->->
<script language=javascript>
alert('Hi! Still anonymized?');
//</script>
</script>
-->
After passing through the proxy, the code will appear as follows:
<!--
<!-- <anonymizer_disabled_SCRIPT >//-->
<script language=javascript>
alert('Hi! Still anonymized?');
//</anonymizer_disabled_SCRIPT> -->
</script>
-->
|
Impact:
Javascript contained within a web page can pass through the anonymizer service and execute on the user's browser, revealing non-anonymous information from the user's browser to the web server.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.anonymizer.com/ (Links to External Site)
|
Cause:
State error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 13 Jun 2001 21:09:10 +0400
Subject: Anonymized ? Not yet.
|
Hello,
Anyone knows the Anonymizer service. It's a good tool that lets you
stay anonymous surfing the web (http://www.anonymizer.com). Moreover,
it blocks the JavaScript code placed on the web pages. The problem is
that it just comments scripts instead of cutting them out. On the one
hand it's good since you can look at the original JavaScript code if
you want. On the other hand this commenting has some disadvantages.
The text below applies to the free/trial version of Anonymizer service
(commercial version wasn't tested).
The problem: Anonymized web pages can use the JavaScript code that
will be executed even if commented by Anonymizer (site can silently
reload frame and get real visitor's IP for example).
The code: The code below won't give you any errors no matter if you're
loading the page with Anonymizer or without it (visible part can be
hidden using <font color>).
<!--
<script>//--->->
<script language=javascript>
alert('Hi! Still anonymized?');
//</script>
</script>
-->
Working example: You can try to load the "Privacy tools" pages at
Tools-On.Net via anonymizer, click on the "Go" button below
"Holmes/Who" and look at the report (compare results with JavaScript
enabled and disabled).
http://anon.free.anonymizer.com/http://tools-on.net/privacy.shtml
http://tools-on.net/privacy.shtml
Note: if you get a "re-enter" message on the site it means the session
id was lost and you really need to re-enter (this can happen if you're
using a cluster of proxy-servers for example).
Best regards, Alexander
----------------------------------------------------------------------
MCP+I, MCSE
http://Tools-On.Net - Free tools for connected people.
http://Leader.Ru - Leader's Smart Guide.
----------------------------------------------------------------------
|
|
