{"vuid":"VU#541384","idnumber":"541384","name":"AOL Instant Messenger saves code embedded in image tag to conversation log which could be viewed/executed by a browser","keywords":["AOL Instant Messenger","AIM"],"overview":"Certain Alpha versions of AOL Instant Messenger (AIM), that were leaked, would log errors to a log file. By sending a crafted image file, it may be possible to execute arbitrary script/HTML on a victims browser when they view the log files.","clean_desc":"AOL Instant Messenger has the ability to embed images into an instant message. However, if the graphic is not a valid image then an icon will be displayed showing the file type and the image data is saved to the log file. The images are saved in a the following format: <BINARY> <STYLE> <DATA ID=\"1\" SIZE=\"66\"> Data that would be inside the image</DATA></STYLE></BINARY> If you were to send an HTML file which included malicious script/HTML code with a image extension that started with </DATA></STYLE></BINARY>, then the script/HTML would be interpreted if logs were saved and viewed with an html browser. In some Alpha versions of AIM versions 4.4 and later, that were leaked, logs are saved by default to C:\\AimLogs\\Username\\IMLog.htm, and while AIM has a utility to view the logs, clicking directly on the file will launch the victim's default web browser to view it. If you do not have a leaked Alpha version, then you will not be vulnerable to this issue.","impact":"An attacker can execute arbitrary script/HTML on the victims machine when the logs are viewed with a web browser.","resolution":"Upgrade to AIM version 4.7, or any other non-leaked version, which has logging disabled.","workarounds":"Do not use pre-production alpha's, especially ones that have been leaked/stolen. Open the logs in a text-only viewer. You can also configure AIM to not accept any image connections. Additionally, AIM versions 4.4 or higher that support logging, also included a Log Manager. Use the Log Manager to view log files.","sysaffected":"","thanks":"Our thanks to Steve Manzuik <steve@securesolutions.org> for the information contained in his \nposting","author":"This document was written by Jason Rafail and is based on information contained in Steve Manzuik's posting.","public":["h","t","t","p",":","/","/","w","w","w",".","w","i","n","d","o","w","s","i","t","s","e","c","u","r","i","t","y",".","c","o","m","/","A","r","t","i","c","l","e","s","/","I","n","d","e","x",".","c","f","m","?","A","r","t","i","c","l","e","I","D","=","1","9","8","1","1"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-01-26T21:43:32Z","publicdate":"2001-01-24T00:00:00Z","datefirstpublished":"2002-04-05T21:26:52Z","dateupdated":"2002-04-05T21:26:56Z","revision":14,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"20","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"5","cam_impact":"7","cam_easeofexploitation":"2","cam_attackeraccessrequired":"20","cam_scorecurrent":"0.65625","cam_scorecurrentwidelyknown":"0.65625","cam_scorecurrentwidelyknownexploited":"1.18125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":0.65625,"vulnote":null}