AIM forced behavior "issue"

From: orb (orbat_private)
Date: Mon Jul 15 2002 - 19:05:11 PDT

Next message: John Tolmachofft: "RE: New Paper: Microsoft SQL Server Passwords"

Previous message: securityat_private: "Security Update: [CSSA-2002-SCO.33] OpenServer 5.0.5 OpenServer 5.0.6 : timed does not enforce nulls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Problem
AIM forced behavior "issue":
The 4.7 version of the official AIM client can be force into performing
functions when the user loads a web page created with specific code in
the META HTTP-EQUIV="refresh" html tag.

Versions affected
Testing has shown that this "issue" effects anyone running the 4.7
version of the official AIM client on win 9x, Me, XP, 2000, or the 4.5
version on Mac OS9/X*. The AIM client available for Linux is not
effected. Perhaps it effects others as well... NT?, CE?

Symptoms
When you load a web page you may notice a new group, buddy, etc.. has
been automatically added to your buddy list.

Cause
The AIM client apparently will allow HTTP REFRESH to "push" an aim: link
using the following format:
<META HTTP-EQUIV="refresh"
CONTENT=4;URL=aim:goim?screenname=mybuddy&message=buch_of_stuff_here>

Effects
A web page can be created with HTTP REFRESH code which will result in
the AIM client performing the same function it would if a user had
clicked directly on an aim: link.

Example
<META
HTTP-EQUIV="refresh"CONTENT=0;URL=aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,mflipzorcon&groupname=mindfliporg>

A web page loaded with the above code in it's META REFRESH tag would
automatically add a group to the users buddylist called mindfliporg and
add buddy's
mindfliporg, mfliporb, mflipmax, mflips0nic, mflipzorcon to the group.

Status
I placed a call to AOL months ago and was informed that this was a
"feature" and would not be removed from future versions but may be
"modified" in future versions. The latest version (4.8 at this time) has
been modified to prompt the users when modifications to their buddylist
are about to take place.

History
On a whim I decided to send someone an AIM greeting card. On the last
page of that process AOL goes ahead and pops up an AIM window with an IM
going to the SN for the person you have specified to receive the card.
The IM says something to the effect of "You've got a greeting, click
here." . Convenient, this way all you have to do is hit send and it will
IM the person to let them know. This greeting card page popped up the
window automatically, I didn't have to click any links or OK anything,
just load the page. If AOL can pop up a new IM window automatically with
a web page, so can anyone else. Simply popping up and AIM window was
only the beginning and prompted me to do further testing which resulted
in the writing of an article which was edited down and turned into this
message.

Credits
Brian Foy Jr. ( Orb ) orbat_private < http://www.mindflip.org >

This report is, in article form, also available at:
http://www.mindflip.org/aim.html

Best regards,

Orb
mindflip.org - Tech Collective

Next message: John Tolmachofft: "RE: New Paper: Microsoft SQL Server Passwords"
Previous message: securityat_private: "Security Update: [CSSA-2002-SCO.33] OpenServer 5.0.5 OpenServer 5.0.6 : timed does not enforce nulls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 21:51:53 PDT