Title: AIM Multiple Cross Site Scripting Author: Simo Ben youssef aka _6mO_HaCk Discovered: 26 December 2005 Published: 7 January 2006 MorX Security Research Team http://www.morx.org Service: Web Vendor: AIM.com Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks Severity: Medium/High Tested on: Microsoft IE 6.0 and FireFox 5.1 Details: AIM.com search engines are created with AOLserver Dynamic Pages (or ADP). ADP are a set of web server extensions for designing dynamically created documents. Utilizing AOLserver, ADP return a document to the user based on running a set of Tcl code with arguments provided by the user. They are based on Microsoft's own Active Server Pages. AIM.com ADP scripts are prone to cross-site scripting attacks. This problem is due to a failure in the applications to properly sanitize user-supplied input. Impact: an attacker can exploit the vulnerable scripts to have arbitrary script code executed in the browser of an authentified AIM user in the context of the AIM webpage. resulting in the theft of cookie-based authentication giving the attacker temporary access to the victim's account (email box, etc) as well as other type of attacks. Screen captures: http://www.morx.org/AIM-XSS.jpg http://www.morx.org/AIM2-XSS.JPG http://www.morx.org/AIM3-XSS.JPG http://www.morx.org/AIM4-XSS.JPG Affected scripts with proof of concept exploit: http://www.aim.com/acronyms.adp?aolp="> http://www.aim.com/remote/step1.adp?aolp=> http://www.aim.com/remote/index.adp?aolp="> http://www.aim.com/developer.adp?aolp=> http://www.aim.com/get_aim/express/aim_expr.adp?aolp=> http://www.aim.com/international.adp?aolp=""> http://www.aim.com/help_faq/security/faq.adp?aolp=> http://www.aim.com/help_faq/security/trojan.adp?aolp=> http://www.aim.com/emoticons.adp?aolp=> http://www.aim.com/chats.adp?aolp="> http://www.aim.com/download.adp?aolp="> http://www.aim.com/get_aim/linux/latest_linux.adp?aolp="> http://www.aim.com/get_aim/win/other_win.adp?aolp="> http://www.aim.com/get_aim/win/latest_win.adp?aolp="> http://www.aim.com/help_faq/using/aimexpress.adp?aolp="> http://www.aim.com/help_faq/gethelp.adp?aolp="> http://www.aim.com/help_faq/security/report.adp?aolp=> http://www.aim.com/help_faq/error_mess/index.adp?aolp=> http://www.aim.com/help_faq/starting_out/index.adp?aolp=> http://www.aim.com/help_faq/using/index.adp?aolp=> http://www.aim.com/help_faq/forgot_password/password.adp?aolp=> http://www.aim.com/tos/privacy_policy.adp?aolp=> http://www.aim.com/help_faq/error_mess/winerrors_buddylist.adp?aolp="> http://www.aim.com/help_faq/using/aimexpress.adp?aolp= http://us.video.aim.com/speed.adp?msg=large&url=%2fmain%2eadp%3f"> Disclaimer: this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN machine/Account. I cannot be held responsible for any of the above.