Anonymizer, MSIE, images ...

["Alexander K. Yezhov" <admin () leader ru>]

Hello bugtraq,

  Title: Bypassing JavaScript filters
  Service: Anonymizer, similar services

  Description:

  Anonymizer  offers free and commercial services that allow to browse
  web safely. Since JavaScript can be dangerous, all script blocks and
  events are cut from html.

  Problem N1:

  The  problem  is  that  not  all events are under control. Some MSIE
  events  can  bypass  filters and let remote server to get real IP of
  the  client  without notice (if the window is framed - "anon" prefix
  will stay in the URL).

  Example:

  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  Test  N1  uses onbeforeunload event that initiated with meta refresh
  tag.  You  can also embed JavaScript into MARQUEE onbounce event (if
  the behavior set to ALTERNATE).

  Problem N2:

  If  image  source  points  to  "mailto:"; and the page is loaded with
  Anonymizer,  the  "src" will be prefixed and Error event will occur.
  That  also  lets  remote server to get real IP of the client without
  notice.  To  avoid  loading e-mail  client  when the page is browsed
  without Anonymizer, a lot of tricks can be used.

  Example:

  http://anon.free.anonymizer.com/http://tools-on.net/you.shtml

  Test  N2  uses <img src="mailto:a"; height=1 width=1 onError=""> code
  to redirect the visitor.

  Tested on:

  Free service, Commercial service.

  Problem status:
  
  Anonymizer  has  been  contacted  and  patched already - MSIE events
  aren't  working any more. I believe img problem will be fixed by the
  time this message is published.

Best regards, Alexander

-----------------------------------------------------------------------
         MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
  http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------