Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Serious security holes in web anonimyzing services

From: ben () ALGROUP CO UK (Ben Laurie)
Date: Thu, 15 Apr 1999 20:47:21 +0100

Patrick Oonk wrote:

With the Bell Labs and NRL systems I found a different
failure.  With a simple JavaScript expression I was
able to query the IP address and host name of the
browser computer.  The query was done by calling the
Java InetAddress class using the LiveConnect feature
of Netscape Navigator.  Once JavaScript has this
information, it can easily be transmitted it back to a
Web server as part of a URL.


This is not news. We (Major Malfunction and I) pointed this hole out
years ago (in Jan '97 to be precise; seems even longer):

http://www.alcrypto.com/java/

to quote the page: "Even the mighty anonymizer retires after
the first round, nose bleeding and ego bruised." Well, you know, these
guys with weird names like the flowery prose :-)

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
     - Indira Gandhi
Previous By Date Next
Previous By Thread Next

Current thread: