Certain Alpha versions of AOL Instant Messenger (AIM), that were leaked, would log errors to a log file. By sending a crafted image file, it may be possible to execute arbitrary script/HTML on a victims browser when they view the log files.
AOL Instant Messenger has the ability to embed images into an instant message. However, if the graphic is not a valid image then an icon will be displayed showing the file type and the image data is saved to the log file. The images are saved in a the following format:
<BINARY><STYLE><DATA ID="1" SIZE="66">Data that would be inside the image</DATA></STYLE></BINARY>
An attacker can execute arbitrary script/HTML on the victims machine when the logs are viewed with a web browser.
Upgrade to AIM version 4.7, or any other non-leaked version, which has logging disabled.
Do not use pre-production alpha's, especially ones that have been leaked/stolen. Open the logs in a text-only viewer. You can also configure AIM to not accept any image connections. Additionally, AIM versions 4.4 or higher that support logging, also included a Log Manager. Use the Log Manager to view log files.
Our thanks to Steve Manzuik
This document was written by Jason Rafail and is based on information contained in Steve Manzuik's posting.
|Date First Published:||2002-04-05|
|Date Last Updated:||2002-04-05 21:26 UTC|