[24898] in bugtraq
Bypassing javascript filters - problem N3.
daemon@ATHENA.MIT.EDU (Alexander K. Yezhov)
Mon Apr 1 16:08:31 2002
Date: Mon, 1 Apr 2002 23:37:49 +0400
From: "Alexander K. Yezhov" <admin@leader.ru>
Reply-To: "Alexander K. Yezhov" <admin@leader.ru>
Message-ID: <3327287312.20020401233749@leader.ru>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hello bugtraq,
Title: Bypassing JavaScript filters
Service: Anonymizer, maybe similar services
Description:
Anonymizer offers free and commercial services that allow to browse
web safely. Since JavaScript can be dangerous, all script blocks and
events are cut from html.
Problem N3:
Maybe you remember the problem I've reported in 2001 - JavaScript
code could be executed after parsing the html by Anonymizer. The
same principle of "JavaScript inside JavaScript" gave me the working
example of redirecting Anonymizer users recently.
Demo is available as Test N3 at
http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
The part of the code before parsing:
onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970
onLoad="location='unprotected_location';"
The same code after parsing:
onLoad="location='unprotected_location';"
Errors generated for visitors without Anonymizer are suppressed by
window.onError handler.
Problem status:
Anonymizer has been contacted and patched already.
Best regards, Alexander
-----------------------------------------------------------------------
MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
http://leader.ru http://tools-on.net (Security & Privacy on the Net)
-----------------------------------------------------------------------
