Full Disclosure mailing list archives
Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com
From: Aditya Sood <zeroknock () metaeye org>
Date: Wed, 29 Nov 2006 13:51:35 +0530
Advisory : Severe Phishing And Redirection Attacks In AOL ScreenName Website By : Zeroknock [at] Metaeye.Org Dated : 23 November 2006 Severity : Critical Explanation : The screenname AOL website is subjected to phishing attacks as the redirection is possible with manipulation in URL.This flaw occur in the way when ever user registered to the screenname website with login page specified as: URL : my.screenname.aol.com/_cqr/login/aimPrelogin.psp? After the successfull login with the desired username and password , the traffic is redirected to the destination The attacker exploit the URL parameters by redirecting as : my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect@<Website Name> Example : my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect@http://www.slashdot.org The whole site with this URL paradigm is vulnerable to these attacks. Vendor Status : Reported.Patched. The security parameters are changed. Aditya K Sood Handle : Zeroknock http://zeroknock.metaeye.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com Aditya Sood (Nov 29)