On Tuesday 02 October 2001 21:49, lazy wrote: : Why not simply downgrade, or block users not on your : buddy list. Odds are no one who is really your "buddy" : will try to DoS you. ;) Downgrading may not be an option, as I don't recall seeing any download from AOL for the older versions. The DoS bonks people as soon as the "ACCEPT MESSAGE" dialog appears. So if I'm not on your buddylist, and you have a default config, it will prompt, and as soon as you see the prompt you see the error message. To your point, you can block everyone not on your buddy list in the "Privacy" tab of the Win32 client options and this should solve the problem until your buddies send you the DoS. (thanks to bein for this win32 info, as i use everybuddy in linux [ not vulnerable, as with gaim ] ) I haven't been able to get this to work through normal clients, so i do believe the hacked-up faimtest is nessecary to run it. perhaps somebody with a different client has been sucessful? it seems from the aolrape code that 798 "<!-- " are sent. another interesting aspect: does the AIM client use a shell control to display the HTML? that is, does it embed a WebBrowser interface/control to show everything? if so, then are all programs that embed that control (possibly IE/OE) vulnerable to the same thing? (pardon the possible lack of appropriate terms, my win32 coding terminoligy is a bit out of practice) todd[1]
This archive was generated by hypermail 2b30 : Tue Oct 02 2001 - 22:06:02 PDT