i think there is many like this http://g.msn.com/0AD00014/?http://google.com http://g.msn.com/0AD00014/?http://example.com etc etc etc your examples actually use an on-site URL redir and i recall some from yahoo as well used extensivly for spam im quite sure they ( AOL ) knows about this , and is a purpose built "feature".
my 2 bits, m.w ----- Original Message ----- From: "Michel Blomgren" <[EMAIL PROTECTED]> To: <[email protected]>; <[email protected]> Sent: Sunday, December 26, 2004 9:43 AM Subject: [Full-Disclosure] AOL website redirection scripts allow for abuse > > tigerteam.se security advisory - TSEAD-200412-1 > www.tigerteam.se > > Advisory: Hole in AOL's redirection scripts allow for abuse. > Date: Sat Dec 18 02:29:52 EST 2004 > Application: AOL's "redir", "redir.adp", "clickThruRedirect.adp", and > "frame.adp" scripts. > Vulnerability: Lack of input filtering allows for redirection abuse. > Reference: TSEAD-200412-1 > Author: Xavier de Leon <[EMAIL PROTECTED]> > > > SYNOPSIS > > http://www.corp.aol.com/whoweare/mission.shtml > > > VULNERABILITY > > The scripts in question allow input from external resources without > validation or filtering of any sort. Thus allowing spammers, phishers, and > other potential attackers a greater deceptive advantage. > > On another note, it is widely known that AOL utilizes a rating system > (throttling) on Instant Messages and e-mails based on content; specifically > spam. However, with the domain prefix aol.com|.* in the mix, rating doesn't > seem to be quite effective. And that enables spammers and phishers access to > spread their content around while bypassing certain throttling rates. > > > COMMENT > > In an environment where AOL users are being phished constantly via Instant > Messenger or e-mail, people are being outwitted into giving up sensitive > credentials by clicking on arbitrary links. This is where the stated > vulnerabily steps in. > > Although the redirection attacker host can be seen from the url itself, it can > be easily hex'd. Example: > > http://dynamic.aol.com/cgi/redir?http://%77%77%77%2e%74%69%67%65%72%74%65%61%6d%2e%73%65 > (redirects to www.tigerteam.se) > > [ or http://dynamic.aol.com/cgi/redir?http://tigerteam.se ] > > >From the example above, one must note that the "http://"; protocol text must be > included or else the script redirects to "./" (in this case being "/cgi/") > > Once redirected, the attacker host will be seen on the address bar. > > > DISCOVERY > > Xavier de Leon <[EMAIL PROTECTED]> > > While looking randomly through the AOL pages, I spotted a call to the 'redir' > script. I entered a bogus url and it redirected without any error messages > whatsoever. > > I searched several search engines (google/vivisimo/yahoo) for pages within AOL > which made calls to scripts with 'edir' in their name, and ran into the > "clickThruRedirect.adp" and "redir.adp" scripts. It turns out they both had > the same problem. Upon such results, I began furthur research into the > situation. > > > EXPLOITATION > > http://dynamic.aol.com/cgi/redir?http://www.attacker.com > http://aolsvc.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://content.alerts.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://www.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://sinbad.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://www.shopping.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://ht-brands.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://aolreseau.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://phileas.aol.fr/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://publish.groups.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://shop.aol.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://www.aolatschool.com/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://webcenter.shop.aol.com/ams/clickThruRedirect.adp?0,0,http://www.attacker.com > http://findajob.aol.com/ams/clickThruRedirect.adp?0,0x0,http://attacker.com > http://expressions.aol.com/redir.adp?_dci_url=http://www.attacker.com > http://www.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://attacker.com > http://entertainment.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com > http://redirect.aol.ca/cgi/redir-complex?sid=0&url=http://www.attacker.com > http://news.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com > http://travel.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com > http://www.defidumarche.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://shop.aolcanada.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://finance.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com > http://women.channels.aol.ca/redir.adp?_dci_url=http://www.attacker.com > http://www.marketchallenge.aol.ca/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://www.aol.com.ar/ams/clickThruRedirect.adp?0,0x0,http://www.attacker.com > http://www.aol.com.ar/frame.adp?url=http://www.attacker.com > > Kudos to the AOL Australia team for using their own redirect script: > /cgi-bin/redirector.pl which did a good job only accepting keywords that are > internally specified and valued to aol.com.au specific urls. > > > ACKNOWLEDGMENTS > > I would like to thank the following people in no particular order: > Michel + all my brothers in p-e and uDc, you know who you are. > > > ABOUT TIGERTEAM.SE > > tigerteam.se offers spearhead competence within the areas of vulnerability > assessment, penetration testing, security implementation, and advanced ethical > hacking training. tigerteam.se consists of Michel Blomgren - company owner (M. > Blomgren IT Security) and Xavier de Leon - freelancing IT security consultant. > Together we have worked for organizations in over 15 countries. > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
