COMMAND

    Anonymizer, SafeWeb

SYSTEMS AFFECTED

    Anonymizer, SafeWeb

PROBLEM

    Alexander  K.  Yezhov   found  following.    Everyone  knows   the
    Anonymizer  service.   It's  a  good  tool  that  lets  you   stay
    anonymous surfing  the web.   Moreover, it  blocks the  JavaScript
    code  placed  on  the  web  pages.   The  problem  is that it just
    comments scripts  instead of  cutting them  out.   On the one hand
    it's good since  you can look  at the original  JavaScript code if
    you  want.    On  the   other  hand   this  commenting   has  some
    disadvantages.

    The text  below applies  to the  free/trial version  of Anonymizer
    service (commercial version wasn't tested).

    Anonymized web  pages can  use the  JavaScript code  that will  be
    executed even if commented by Anonymizer (site can silently reload
    frame and get real visitor's IP for example).

    The  code  below  won't  give  you  any errors no matter if you're
    loading the page with Anonymizer  or without it (visible part  can
    be hidden using <font color>).

        <!--
        <script>//--->->
        <script language=javascript>
        alert('Hi! Still anonymized?');
        //</script>
        </script>
        -->

    You can try to load the "Privacy tools" pages at Tools-On.Net  via
    anonymizer, click on the "Go" button below "Holmes/Who"  and  look
    at  the  report  (compare  results  with  JavaScript  enabled  and
    disabled).

        http://anon.free.anonymizer.com/http://tools-on.net/privacy.shtml
        http://tools-on.net/privacy.shtml

    If you get a "re-enter" message  on the site it means the  session
    id was lost and  you really need to  re-enter (this can happen  if
    you're using a cluster of proxy-servers for example).

    Script above can be started  like all the scripts (just  insert it
    into html  and that's  all).   It doesn't  require any interaction
    with visitors.  On Tools-On.Net  site the click just leads  you to
    one of the tools that  displays the information about the  visitor
    (to make the demonstration more complete).

    Alert() is safe. But the code can include any other instruction as
    well.  The JavaScript on the  demo page just checks if the  URL is
    "chained" and then changes document.location to the same page  but
    without  anonymizing.   NOTE:  the  verification  is  needed  only
    because the  location will  be changed  to the  _same_ page.  This
    step (checking  current document.location)  can be  skipped if the
    site redirects user to a different page.

    The current "redirect" demo is available at:

        http://tools-on.net/privacy.shtml

    (click  on  the  "Go"  button  below  "Holmes/Who" and look at the
    report).  You can also use direct (temp.) link to the "Who" tool:

        http://tools-on.net/privacy.shtml?o=who&t=4557701001675&

    The demo works for Anonymizer as well as for SafeWeb.

SOLUTION

    Nothing yet.