[11036] in bugtraq
Re: America Online Token Hole
daemon@ATHENA.MIT.EDU (Zero Divide)
Thu Jul 15 22:15:09 1999
Message-Id: <19990715054733.65227.qmail@securityfocus.com>
Date: Thu, 15 Jul 1999 05:47:33 -0000
Reply-To: Zero Divide <o0o@HOTMAIL.COM>
From: Zero Divide <o0o@HOTMAIL.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990712160549.47411.qmail@securityfocus.com>
Programmable AOL buttons are written in FDO(Form Display
Operation). You can compile these forms using AOL's Visual
Publisher Designer tool.
As for this Rw token nonsense. The Rw token exploit was
discovered in early 1998 by Slushie and Uaert, not by this
Mackk person. I don't know who he is or why he even
brought up this exploit on Bug traq.
The Rw token was used when AOL accounts with Rainman
publishing rights had access to two or more Rainman
Groups. Since objects could have the same external ID and
be in different Rainman Groups, AOL designed the Rw token
to allow you to choose the particular Rainman Group you
wanted the EOI feedback displayed from. After AOL patched
the Rw in early 1998, Rainman users were no longer able to
get a list of all the objects using the same external ID.
Instead they had to type in the Rainman group AND the
external ID in order to view the EOI feedback i.e "1928.tos
blah"
I fail to see why the Rw token would still work in this one
hour time slot because the function it performs is now
obsolete. Of course, this is AOL we are talking about and
they are not known for running the most efficient and
secure service.
ZD
<<<I had contacted the person who posted this information.
It seems that AOL has contacted him and he refuses to talk
about this if you ask about it.
Does anyone have any information on how to make your own
programmable buttons for aol?
granny
About a year ago, I found out that by sending the "Rw"
token
to the AOL host while signed on along with the object's
internal id as arg, any user could get detailed info about
any object on the system.
man_start_object < trigger, "" >
mat_relative_tag < 22 >
act_replace_select_action
<
uni_start_stream
sm_send_token_arg <"Rw", INTERNAL ID HERE>
uni_end_stream
<FONT COLOR="#222255">> </FONT>
mat_precise_x < 0 >
mat_precise_y < 226 >
mat_font_sis < small_fonts, 7, normal>
mat_art_id < 1-0-21184 >
mat_bool_default < yes >
man_end_object
comments questions.. <A
HREF="mailto:<A
HREF="mailto:mackk@rpi.edu">mackk@rpi.edu</A>"><A
HREF="mailto:mackk@rpi.edu">mackk@rpi.edu</A></A>
>>>>
