Search the archives!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com
- From: zeroknock at metaeye.org (Aditya Sood)
- Subject: [Full-disclosure] Advisory : Redirection And Phishing Vulnerability In AOL My.ScreeName.com
- Date: Wed, 29 Nov 2006 13:51:35 +0530
Advisory : Severe Phishing And Redirection Attacks In AOL ScreenName Website By : Zeroknock [at] Metaeye.Org Dated : 23 November 2006 Severity : Critical Explanation : The screenname AOL website is subjected to phishing attacks as the redirection is possible with manipulation in URL.This flaw occur in the way when ever user registered to the screenname website with login page specified as: URL : my.screenname.aol.com/_cqr/login/aimPrelogin.psp? After the successfull login with the desired username and password , the traffic is redirected to the destination The attacker exploit the URL parameters by redirecting as : my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect@<Website Name> Example : my.screenname.aol.com/_cqr/login/aimPrelogin.psp?siteState=redirect at http://www.slashdot.org The whole site with this URL paradigm is vulnerable to these attacks. Vendor Status : Reported.Patched. The security parameters are changed. Aditya K Sood Handle : Zeroknock http://zeroknock.metaeye.org
- Prev by Date: [Full-disclosure] Sasser
- Next by Date: [Full-disclosure] ProFTPD mod_tls pre-authentication buffer overflow
- Previous by thread: [Full-disclosure] New report on Teredo security
- Next by thread: [Full-disclosure] Secunia Research: Borland Products idsql32.dll Buffer Overflow Vulnerability
- Index(es):