header-logo
Suggest Exploit
vendor:
AOL Instant Messenger
by:
SecurityFocus
3.3
CVSS
MEDIUM
HTML Injection
79
CWE
Product Name: AOL Instant Messenger
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Microsoft Windows and MacOS
2002

AOL Instant Messenger Client HTML Injection Vulnerability

The AOL Instant Messenger client is prone to an issue which may allow maliciously crafted HTML to perform unauthorized actions (such as adding entries to the buddy list) on behalf of the user of a vulnerable client. This condition is due to how the client handles 'aim:' URIs. These actions will be taken without prompting or notifying the user. A web page loaded with the above code in the META REFRESH tag will automatically add a group called mindfliporg and add the users mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to buddy list.

Mitigation:

Update to the latest version of AOL Instant Messenger
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5246/info


The AOL Instant Messenger client is prone to an issue which may allow maliciously crafted HTML to perform unauthorized actions (such as adding entries to the buddy list) on behalf of the user of a vulnerable client. This condition is due to how the client handles "aim:" URIs. These actions will be taken without prompting or notifying the user.

This issue was reported for versions of AIM running on Microsoft Windows and MacOS. The Linux version of the client is not affected by this vulnerability.

<META HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg>

A web page loaded with the above code in the META REFRESH tag will
automatically add a group called mindfliporg and add the users mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to buddy list.

Navigation

Suggest Exploit

Services By CQR