Vulnerability Development mailing list archives

RE: Proxy bypass in Opera : security related ?

From: "Darren W. MacDonald" <darrydoo () sympatico ca>
Date: Wed, 5 Dec 2001 22:38:24 -0500

Poor browsers, confused into thinking that this is Intranet traffic
because  it's dotless... <sigh>

See MS KB Q306121 and MS Security Bulletin MS01-051 for details and a
patch for IE.

HTH
Darren

-----Original Message-----
From: maillist [mailto:maillist () go ro]
Sent: Wednesday, December 05, 2001 1:25 PM
To: vuln-dev () securityfocus com
Subject: Re: Proxy bypass in Opera : security related ?

Hi,
I don't know if that's a problem caused only by Opera, I found that

'bug'

surfing with IE (6.0) too.
Trying to acces diffrent web pages, some of them listed my real IP

address

insted of proxy address.
(e.g. trying to make an account at www.ifriends.com).
It might be a 'bug' in Opera/IE or a 'high security' web page.

----- Original Message -----
From: "Nicolas Gregoire" <ngregoire () exaprobe com>
To: <vuln-dev () securityfocus com>
Sent: Wednesday, December 05, 2001 11:22 AM
Subject: Proxy bypass in Opera : security related ?

Hi,

while I was trying to bypass some URL filtering software using

specially

formated URLs, I found a problem

in the Opera browser.

This bug was reported to Opera via their bug notification form, but

haven't receive any response so far.


Details :
======

When the URL http://3638218280/ is requested, Opera will try to

fetch to

page located at

http://216.218.206.40/ (normal DWord to IP address conversion [1])

*without* using the configured

proxy settings.

Scenario :
=========

I haven't any really interesting scenario for this bug.
Yes, it's possible to make a user follow a link and get a page

without

using the configured proxy, but if,

in a company, there's a proxy and a way to fetch web pages without

using

the proxy, the problem is,

in my opinion, a security policy problem ....


Does anybody see any security implication for this bug ?


Nicolas Grégoire [2]


[1] : http://www.fichtner.net/tools/ip2dword/
[2] : Please excuse my poor english

Current thread:

Proxy bypass in Opera : security related ? Nicolas Gregoire (Dec 05)
- Re: Proxy bypass in Opera : security related ? maillist (Dec 05)
  - RE: Proxy bypass in Opera : security related ? Darren W. MacDonald (Dec 05)
- Re: Proxy bypass in Opera : security related ? Valdis . Kletnieks (Dec 05)