[21022] in bugtraq
Anonymized ? Not yet. - Part II
daemon@ATHENA.MIT.EDU (Alexander K. Yezhov)
Thu Jun 14 16:16:33 2001
Date: Thu, 14 Jun 2001 21:04:04 +0400
From: "Alexander K. Yezhov" <admin@leader.ru>
Reply-To: "Alexander K. Yezhov" <admin@leader.ru>
Message-ID: <11812090294.20010614210404@leader.ru>
To: bugtraq@securityfocus.com
In-Reply-To: <20010613212303.15503.qmail@web13706.mail.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Dear bugtraq readers,
The JavaScript code posted before raised a lot of questions. Below
you'll find some answers.
Q: Does the page have to get a visitor to click a link for the script
to run ?
A: Script can be started like all the scripts (just insert it into
html and that's all). It doesn't require any interaction with
visitors. On my Tools-On.Net site the click just leads you to one of
the tools that displays the information about the visitor (to make the
demonstration more complete).
Q: How it works ? Is alert() safe ?
A: Alert() is safe. But the code can include any other instruction as
well. The JavaScript on the demo page just checks if the URL is
"chained" and then changes document.location to the same page but
without anonymizing. NOTE: the verification is needed only because the
location will be changed to the _same_ page. This step (checking
current document.location) can be skipped if the site redirects user
to a different page.
Q: Does SafeWEB.com have the same issues?
A: I had a look at SafeWeb today. Since it uses different approach to
isolate dangerous JavaScript instructions the demo code won't work.
SafeWeb doesn't let the script to verify if the URL is chained and
correctly intercepts any attempts to change document.location or issue
location.replace function. But the answer is ... "yes". To let the
demo script verify the original URL we'll have to override
fugunet_fixloc function. Then, to redirect current frame to unsecure
location we can use "assign" method.
The current "redirect" demo is available at:
http://tools-on.net/privacy.shtml
(click on the "Go" button below "Holmes/Who" and look at the report)
You can also use direct (temp.) link to the "Who" tool:
http://tools-on.net/privacy.shtml?o=who&t=4557701001675&
The demo works for Anonymizer as well as for SafeWeb.
Best regards, Alexander
----------------------------------------------------------------------
MCP+I, MCSE
http://Tools-On.Net - Free tools for connected people.
http://Leader.Ru - Leader's Smart Guide.
----------------------------------------------------------------------
