---------- Forwarded message ---------- Date: Tue, 27 Nov 2001 14:55:11 +0000 From: Klaxon <klaxon@netcabo.pt> To: Bugtraq <bugtraq@securityfocus.com> Cc: NUKE Borgas <nukeborgas@yahoogroups.com> Subject: Anonymiser.com might reveal your IP Hello, if this has been discussed in the past just tell me to sod off. While playing with proxy configurations for a machine at home I came across a questionable behaviour from www.anonymiser.com. I stuck netcat on port 80 of this machine and than surfed back to it through Anonymiser. I know there's a transparent proxy on my ISP and apparently it attaches a "Client-ip: x.x.x.x" field to all http requests. What's fun is that Anonymiser happily copies this field to its own http request. Actually it will pass along any field sent with your request, which makes sense for "Accept-..." stuff but is obviously a bad ideia for anything else. ------------------------------------- [~]# nc -l -p 80 GET / HTTP/1.0 Host: foo.bar.com Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, image/png, image/jpeg, image/gif;q=0.2, text/plain;q=0.8, text/css, */*;q=0.1 Accept-Charset: iso-8859-1, utf-8;q=0.66, *;q=0.66 Accept-Encoding: identity User-Agent: Mozilla/4.78 (TuringOS; Turing Machine; 0.0) Client-ip: X.X.X.X <------------ BOOM! Via: HTTP/1.1 proxy-02[XXXXXXX] (Traffic-Server/3.5.7 [XXXXXXXX]) ------------------------------------- So beware if you trust this service and there's an unknown proxy somewhere along the wire. Please note this experience was with Anonymiser.com's free service. I would like to know if anyone paying for it can confirm this. To try it: launch netcat on your port 80 (nc -l -p 80), telnet to www.anonymiser.com on port 80 and request your address: [~]$ telnet www.anonymiser.com 80 Trying 168.143.112.10... Connected to www.anonymiser.com. Escape character is '^]'. GET http://your.ip.goes.here HTTP/1.0 Foo-bar: it hurts Netcat should spit this: [~]# nc -l -p 80 GET / HTTP/1.0 Host: your.ip.goes.here Foo-bar: it hurts Connection: Keep-Alive If Foo-bar is there so can a Client-ip be. -- EOF