Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Advisory : Redirection And Phishing Vulnerability In A

from [Aditya Sood] Network Security [Permanent Link]
Subject: [Full-disclosure] Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com
Date: Wed, 29 Nov 2006 13:51:35 +0530 

Advisory : Severe Phishing And Redirection Attacks In AOL ScreenName Website
By : Zeroknock [at] Metaeye.Org

Dated : 23 November 2006
Severity : Critical

Explanation :
The screenname AOL website is subjected to phishing attacks as the
redirection
is possible with manipulation in URL.This flaw occur in the way when
ever user
registered to the screenname website with login page specified as:

URL : my.screenname.aol.com/_cqr/login/aimPrelogin.psp?

After the successfull login with the desired username and password , the
traffic is
redirected to the destination The attacker exploit the URL parameters by
redirecting as :

my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect@<Website
Name>

Example :
my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect@http://www.slashdot.org

The whole site with this URL paradigm is vulnerable to these attacks.

Vendor Status : Reported.Patched.
                         The security parameters are changed.




Aditya K Sood
Handle : Zeroknock
http://zeroknock.metaeye.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com, Aditya Sood <=
Previous by Date:  Re: [Full-disclosure] Sasser, Matthew Flaschen
Next by Date:  Re: [Full-disclosure] Sasser, David Swafford
Previous by Thread:  [Full-disclosure] New report on Teredo security, Jim Hoagland
Next by Thread:  [Full-disclosure] Secunia Research: Borland Products idsql32.dll Buffer Overflow Vulnerability, Secunia Research
Indexes:  [Date] [Thread] [Top] [All Lists]