Webproxy anonymity weakness through dynamic javascript

Release date: 12/15/2008
Source: Cloakfish.com

Programs affected

• All tested versions of Glype Proxy
• All tested versions of Zelune
• All tested versions of PHProxy
• All tested versions of CGIProxy
• All other types of web-proxy scripts are expected to be vulnerable

Overview

Web-proxies suffer from a weakness in their design resulting in a possible leak of the real IP address.
No web-proxy can be trusted to protect the own identity.

Description

Web-proxies are a common and frequently used anonymity service. A web-proxy is based on a script (cgi,perl,php,...) running on a webserver.
Most web-proxies can be used free of charge, they are usually used to present advertisements to the user.
A web-proxy translates all links and sources of the target website and replaces them with new dynamic links at the web-proxy.
All data transfers happen by the web-proxy but activated javascript, which is usually a default configuration, enables several methods to obtain the real IP.

Usual javascript sources are replaced like any other sources, but there are several ways to circumvent this protection.
Dynamic javascript can be used to load a remote source through the real client.

Impact

Successful exploitation of this vulnerability reveals the real IP-Address of the User who trust in the service to protect his identity.

Solution

The weakness lies in the design concept, the only protection against this sort of vulnerability is to disable javascript, active-x and similar features within the browser.
Solving this single vulnerability within the script is unlikely to solve the design issue.

Proof of Concept

Web-proxy analyzer append &webproxy=1 on the URL to force webproxy detection

This website is intellectual property by international copyright law. Reproducing content from this webpage in any form requires written permission from the (c) owners. Contact  Advisories   Terms of use  Privacy policy