[4584] in WWW Security List Archive
Re: Anonymizer / Web Spoof
daemon@ATHENA.MIT.EDU (NetSurfer)
Tue Feb 25 13:21:10 1997
From: "NetSurfer" <netsurf@pixi.com>
To: <www-security@ns2.rutgers.edu>, "Ammon" <ammon@ikx.org>
Date: Tue, 25 Feb 1997 05:56:37 -0000
Errors-To: owner-www-security@ns2.rutgers.edu
In the past I was able to demonstrate that the anonymizer did not fully
block access to environment variables by visiting a site running a PERL
script that emails the environment variables back to me. I haven't tested
it in the last few weeks but did demonstrate this in the past. I suspect
that this can't be blocked without modifying the web servers themselves.
If you want to test it out and have me email you the results visit the page
at <a href="http://www.pixi.com/~masonsgl/">this</a> site, scroll to the
bottom of the page, and use the form url to send mail to NetSurfer. In the
comments include your email address and I'll forward the results to the
same.
----------
Yes, the anonymizer does use webspoofing to keep your identity hidden. The
paper was by the SIP team at Princeton. Their paper can be found at:
----------
#include <standard.disclaimer>
_ __ __ _____ ____
/ | / /__ / /_/ ___/__ _______/ __/__ _____
/ |/ / _ \/ __/\__ \/ / / / ___/ /_/ _ \/ ___/
/ /| / __/ /_ ___/ / /_/ / / / __/ __/ /
================/_/=|_/\___/\__//____/\__,_/_/==/_/==\___/_/===============
