On Tuesday 02 October 2001 21:49, lazy wrote:
: Why not simply downgrade, or block users not on your
: buddy list. Odds are no one who is really your "buddy"
: will try to DoS you. ;)
Downgrading may not be an option, as I don't recall seeing any download from
AOL for the older versions.
The DoS bonks people as soon as the "ACCEPT MESSAGE" dialog appears. So if
I'm not on your buddylist, and you have a default config, it will prompt, and
as soon as you see the prompt you see the error message.
To your point, you can block everyone not on your buddy list in the "Privacy"
tab of the Win32 client options and this should solve the problem until your
buddies send you the DoS. (thanks to bein for this win32 info, as i use
everybuddy in linux [ not vulnerable, as with gaim ] )
I haven't been able to get this to work through normal clients, so i do
believe the hacked-up faimtest is nessecary to run it. perhaps somebody with
a different client has been sucessful? it seems from the aolrape code that
798 "<!-- " are sent.
another interesting aspect:
does the AIM client use a shell control to display the HTML? that is, does
it embed a WebBrowser interface/control to show everything? if so, then are
all programs that embed that control (possibly IE/OE) vulnerable to the same
thing?
(pardon the possible lack of appropriate terms, my win32 coding terminoligy
is a bit out of practice)
todd[1]
Received on Oct 03 2001
Intro
