---------- Forwarded message ----------
Date: Tue, 27 Nov 2001 14:55:11 +0000
From: Klaxon
To: Bugtraq
Cc: NUKE Borgas
Subject: Anonymiser.com might reveal your IP
Hello, if this has been discussed in the past just tell me to sod off.
While playing with proxy configurations for a machine at home I came
across a questionable behaviour from www.anonymiser.com. I stuck netcat
on port 80 of this machine and than surfed back to it through Anonymiser.
I know there's a transparent proxy on my ISP and apparently it attaches
a "Client-ip: x.x.x.x" field to all http requests. What's fun is that
Anonymiser happily copies this field to its own http request. Actually
it will pass along any field sent with your request, which makes sense
for "Accept-..." stuff but is obviously a bad ideia for anything else.
-------------------------------------
[~]# nc -l -p 80
GET / HTTP/1.0
Host: foo.bar.com
Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1
Accept-Charset: iso-8859-1, utf-8;q=0.66, *;q=0.66
Accept-Encoding: identity
User-Agent: Mozilla/4.78 (TuringOS; Turing Machine; 0.0)
Client-ip: X.X.X.X <------------ BOOM!
Via: HTTP/1.1 proxy-02[XXXXXXX] (Traffic-Server/3.5.7 [XXXXXXXX])
-------------------------------------
So beware if you trust this service and there's an unknown proxy
somewhere along the wire. Please note this experience was with
Anonymiser.com's free service. I would like to know if anyone paying
for it can confirm this.
To try it: launch netcat on your port 80 (nc -l -p 80), telnet to
www.anonymiser.com on port 80 and request your address:
[~]$ telnet www.anonymiser.com 80
Trying 168.143.112.10...
Connected to www.anonymiser.com.
Escape character is '^]'.
GET http://your.ip.goes.here HTTP/1.0
Foo-bar: it hurts
Netcat should spit this:
[~]# nc -l -p 80
GET / HTTP/1.0
Host: your.ip.goes.here
Foo-bar: it hurts
Connection: Keep-Alive
If Foo-bar is there so can a Client-ip be.
--
EOF