AOL Instant Messenger 4.x Unauthorized Actions Vulnerability

ID EDB-ID:21619
Type exploitdb
Reporter orb
Modified 2002-07-16T00:00:00


AOL Instant Messenger 4.x Unauthorized Actions Vulnerability. CVE-2002-2169. Remote exploit for windows platform


The AOL Instant Messenger client is prone to an issue which may allow maliciously crafted HTML to perform unauthorized actions (such as adding entries to the buddy list) on behalf of the user of a vulnerable client. This condition is due to how the client handles "aim:" URIs. These actions will be taken without prompting or notifying the user.

This issue was reported for versions of AIM running on Microsoft Windows and MacOS. The Linux version of the client is not affected by this vulnerability.

<META HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg>

A web page loaded with the above code in the META REFRESH tag will
automatically add a group called mindfliporg and add the users mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to buddy list.