Bugtraq mailing list archives
America Online Token Hole
From: mackk () RPI EDU (Kevin Mack)
Date: Thu, 8 Jul 1999 11:18:33 -0400
Normally I wouldn't post things of this nature, but I thought it was important enough. About a year ago, I found out that by sending the "Rw" token to the AOL host while signed on along with the object's internal id as arg, any user could get detailed info about any object on the system. Included in this information is the user who created the object and tons of other information like its current viewrule and AOL url. This was all great for about a week until AOL officially fixed the hole. Normally only internal users are allowed such access for security reasons. Using this exploit, anyone can see headings in AOL's Network Operations Center and look at user count information and AOL mothly profits before they are even released. AOL put all there stuff online...Anyways the hole still exists but is windowed for only about an hour a day. I have no clue why and it seems random... For example yesterday July 7th it existed between 6:30-7:30PM EST. Here is a sample FDO88/91 that will create a button to the send the Rw token w arg and help you exploit..fill the internal id with any number you wish to see..i do have a listing of interesting id if anyone wants to follow this further....and goodluck with the timing... man_start_object < trigger, "" > mat_relative_tag < 22 > act_replace_select_action < uni_start_stream sm_send_token_arg <"Rw", INTERNAL ID HERE> uni_end_stream
mat_precise_x < 0 > mat_precise_y < 226 > mat_font_sis < small_fonts, 7, normal> mat_art_id < 1-0-21184 > mat_bool_default < yes > man_end_object comments questions.. mackk () rpi edu
Current thread:
- America Online Token Hole Kevin Mack (Jul 08)
- Re: America Online Token Hole John Schuster (Jul 12)
- Re: America Online Token Hole Zero Divide (Jul 14)
- NMRC Advisory: Netware 5 Client Hijacking Simple Nomad (Jul 15)
- Re: America Online Token Hole John Schuster (Jul 12)