mailing list archives
Re: AOL website redirection scripts allow for abuse
From: "morning_wood" <se_cur_ity () hotmail com>
Date: Mon, 27 Dec 2004 17:35:42 -0800
i think there is many like this
etc etc etc
your examples actually use an on-site URL redir
and i recall some from yahoo as well used extensivly for spam
im quite sure they ( AOL ) knows about this , and is a purpose
my 2 bits,
----- Original Message -----
From: "Michel Blomgren" <michel.blomgren () tigerteam se>
To: <bugtraq () securityfocus com>; <full-disclosure () lists netsys com>
Sent: Sunday, December 26, 2004 9:43 AM
Subject: [Full-disclosure] AOL website redirection scripts allow for abuse
tigerteam.se security advisory - TSEAD-200412-1
Advisory: Hole in AOL's redirection scripts allow for abuse.
Date: Sat Dec 18 02:29:52 EST 2004
Application: AOL's "redir", "redir.adp", "clickThruRedirect.adp", and
Vulnerability: Lack of input filtering allows for redirection abuse.
Author: Xavier de Leon <xavier () tigerteam se>
The scripts in question allow input from external resources without
validation or filtering of any sort. Thus allowing spammers, phishers,
other potential attackers a greater deceptive advantage.
On another note, it is widely known that AOL utilizes a rating system
(throttling) on Instant Messages and e-mails based on content;
spam. However, with the domain prefix aol.com|.* in the mix, rating
seem to be quite effective. And that enables spammers and phishers access
spread their content around while bypassing certain throttling rates.
In an environment where AOL users are being phished constantly via Instant
Messenger or e-mail, people are being outwitted into giving up sensitive
credentials by clicking on arbitrary links. This is where the stated
vulnerabily steps in.
Although the redirection attacker host can be seen from the url itself, it
be easily hex'd. Example:
(redirects to www.tigerteam.se)
[ or http://dynamic.aol.com/cgi/redir?http://tigerteam.se ]
From the example above, one must note that the "http://" protocol text
included or else the script redirects to "./" (in this case being "/cgi/")
Once redirected, the attacker host will be seen on the address bar.
Xavier de Leon <xavier () tigerteam se>
While looking randomly through the AOL pages, I spotted a call to the
script. I entered a bogus url and it redirected without any error
I searched several search engines (google/vivisimo/yahoo) for pages within
which made calls to scripts with 'edir' in their name, and ran into the
"clickThruRedirect.adp" and "redir.adp" scripts. It turns out they both
the same problem. Upon such results, I began furthur research into the
Kudos to the AOL Australia team for using their own redirect script:
/cgi-bin/redirector.pl which did a good job only accepting keywords that
internally specified and valued to aol.com.au specific urls.
I would like to thank the following people in no particular order:
Michel + all my brothers in p-e and uDc, you know who you are.
tigerteam.se offers spearhead competence within the areas of vulnerability
assessment, penetration testing, security implementation, and advanced
hacking training. tigerteam.se consists of Michel Blomgren - company owner
Blomgren IT Security) and Xavier de Leon - freelancing IT security
Together we have worked for organizations in over 15 countries.
Full-Disclosure - We believe in it.
- Re: AOL website redirection scripts allow for abuse morning_wood (Dec 28)