Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (E-mail Server)  >   AOL Instant Messenger Vendors:   America Online, Inc.
AOL Web Mail 'msglist.adp' Input Validation Hole Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011791
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 20 2004
Original Entry Date:  Oct 20 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   Steven from reported an input validation vulnerability in America Online's web mail system. A remote user can conduct cross-site scripting attacks.

The report notes that the same vulnerability was previously identified in a paper by David Endler [then of iDEFENSE] in May 2002.

The 'msglist.adp' script does not properly filter HTML code from user-supplied input in the 'folder' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the AOL web mail site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:


The target user must be logged in to the web mail system for the exploit to work.

The original advisory is available at:

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the AOL web mail site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error

Message History:   None.

 Source Message Contents

Subject:  America Online Webmail Cross Site Scripting Vulnerability

Date:             October 20, 2004
Vendor:           America Online Inc.
Product/Service:  America Online Webmail
Issue:            Cross Site Scripting Vulnerability In Webmail
URL:     | AOL Keyword: webmail
Advisory URL:

Note: While I found these vulnerabilities independently, all credit goes to
iDefense as upon searching I found that this scripting error has previously
been mentioned (sometime ago at that) in a white paper written by iDefense.
This white paper is available at: -
However, it appears it is possible the vendor has never been notified and
that this is not a widely published vulnerability.  Since this affects the
largest ISP in the world, it might be worth publishing on a larger scale.

Service Overview:

America Online (AOL) is the world's largest Internet Service Provider.  They
provide many special online services and features that are only available to
its dialup and high speed add-on subscribers.  AOL owns many other companies
to include Netscape, which also contains the same scripting error in its
webmail client.


A user can craft a URL that when viewed will conduct a Cross Site Scripting
attack.  One impact of this attack is that it can give the attacker access
to the users cookies.  The flaw lies within msglist.adp?folder=<SCRIPTING>

An example url is as follows:<script>alert(document.cookie)</script>

Note: A user MUST be logged into webmail for this attack to work.  Also,
AOL's webmail is only accessible to subscribers of the AOL service.  Please
read the Netscape Webmail advisory to see the differences and who is
affected by that vulnerability.


The script could simply filter and replace special characters or validate
user input so scripts cannot be executed.

Vendor Response:

All previous attempts to alert this vendor to other vulnerabilties,
exploits, and holes have proven to be futile.  This error has not been
reported to the vendor for that reason.  If this vendor would like to be
notified of future bugs (which there already are) in order to work on a
solution prior to disclosure, they can contact me at:


iDefense - and credits go to Link Linkovich for also mentioning and
describing problems with Groups@AOL

Questions/Comments/Other?  Drop me a line.  Go Hokies! :D


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC