Release date: 12/15/2008
- All tested versions of Glype Proxy
- All tested versions of Zelune
- All tested versions of PHProxy
- All tested versions of CGIProxy
- All other types of web-proxy scripts are expected to be vulnerable
Web-proxies suffer from a weakness in their design resulting in a possible leak of the real IP address.
No web-proxy can be trusted to protect the own identity.
Web-proxies are a common and frequently used anonymity service. A web-proxy is based on a script (cgi,perl,php,...) running on a webserver.
Most web-proxies can be used free of charge, they are usually used to present advertisements to the user.
A web-proxy translates all links and sources of the target website and replaces them with new dynamic links at the web-proxy.
Successful exploitation of this vulnerability reveals the real IP-Address of the User who trust in the service to protect his identity.
Solving this single vulnerability within the script is unlikely to solve the design issue.
Proof of Concept
Web-proxy analyzer append &webproxy=1 on the URL to force webproxy detection