I used to be in an environment behind a firewall, but installed and
configured AIM to work on my desktop. I used to want to work from home on
some of my files, but because of all the security on the network server and
on the web server itself, I wasn't allowed in from my roving IP address at
home. (I had AOL at the time, shame on me...) .....
Anyway, what I found out was, if I left my AIM on all night with the file
upload and download feature turned on, accepting requests from a certain AOL
account, I could sign on with one screen name at work....then go home, and
sign on with another screen name and request files from the AIM set up at
work. Now I was only able to get through to one specific directory, but it
could be a network drive if I so chose it to be.......
That's a security hole to me. Especially if I didn't restrict access to one
AOL name and left it open to everyone.
This above contract is over and the business shut down, but not because of
my unethical security breach, I might add.
Erika
--------------------------------
AIM: WebErika5
Yahoo: WebErika
MSN: WebErika
AskMe.com Expert: WebErika
--------------------------------
Erika L. Walker
Vice President
RUWebby, LLC
201-370-4272 (c)
973-244-9120 (o)
153 Rutgers Lane
Parsippany, NJ 07054
--------------------------------
Website Design/Programming
Database Integration
Allaire Partner - ColdFusion
--------------------------------
-----Original Message-----
From: Steve Bernard [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 27, 2001 3:08 PM
To: CF-Talk
Subject: OT: RE: icq, aol, icm
You might want to take a look at SecurityFocus and/or the Common
Vulnerability and Exposure database. Contrary to your _assumptions_ there
are a number of serious problems with IM. As a friendly suggestion, I would
refrain from telling others that there aren't security issues when in fact
you have no real knowledge of the subject. I don't mean this to be an attack
on you, it just isn't prudent or responsible to answer a question such as
this when the background isn't there. I have attached a number of the issues
along with their CVE name and a brief description.
Regards,
Steve
----------------------------------------------------------------------
- CVE-2000-1000 Format string vulnerability in AOL Instant Messenger (AIM)
4.1.2010 allows remote attackers to cause a denial of service and possibly
execute arbitrary commands by transferring a file whose name includes format
characters.
- CVE-2000-1094 Buffer overflow in AOL Instant Messenger (AIM) before
4.3.2229 allows remote attackers to execute arbitrary commands via a
"buddyicon" command with a long "src" argument.
- CAN-1999-0486 ** CANDIDATE (under review) ** Denial of service in AOL
Instant Messenger when a remote attacker sends a malicious hyperlink to the
receiving client, potentially causing a system crash.
- CAN-2000-0190 ** CANDIDATE (under review) ** AOL Instant Messenger (AIM)
client allows remote attackers to cause a denial of service via a message
with a malformed ASCII value.
- CAN-2000-0383 ** CANDIDATE (under review) ** The file transfer component
of AOL Instant Messenger (AIM) reveals the physical path of the transferred
file to the remote recipient.
- CAN-2000-1093 ** CANDIDATE (under review) ** Buffer overflow in AOL
Instant Messenger before 4.3.2229 allows remote attackers to execute
arbitrary commands via a long "goim" command.
----------------------------------------------------------------------
-----Original Message-----
From: Jeremy Allen [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, March 27, 2001 2:28 PM
To: CF-Talk
Subject: RE: icq, aol, icm
That is an obtuse answer to a complex problem.
Go back to your IT manager and tell him that Windows
is a security threat because it will run a virus.
Tell him that Outlook creates internet worms and should
not be used. Tell him that webpages have cross scripting
exploits and shouldnt be used.
There is an inherent amount of risk in anything. The ICQ
protocol used to be rather unsecure. But.. ICQ/AIm/Whatever
dont allow for arbitrary execution of code. Maybe someone
can impersonate you but its not an actual threat to your
systems stability at all. There are no common exploits
that can really cause any harm to your system for any messenging
client.
Woe to AOL of ICQ or AIM were to actually have holes
like that. They market ICQ as a tool businesses can use
to coloborate. A security threat, probably not.
Nothing is ever definite but it is a pretty safe bet that
ICQ,AIM/Xyz IM client isnt a true security hazard.
Jeremy Allen
elliptIQ Inc.
>-----Original Message-----
>From: Larry W. Virden [mailto:[EMAIL PROTECTED]]
>Sent: Tuesday, March 27, 2001 2:06 PM
>To: CF-Talk
>Subject: Re: icq, aol, icm
>
>
>Re: does instant messager create a security hole
>
>
>A mentor once told me 'if you turn on the computer, you have just
>created a potential security problem. The only secure computer
>is one which is _completely_ powered off and unplugged.'
>
>
>--
>Larry W. Virden <URL: mailto:[EMAIL PROTECTED]>
><URL: http://www.purl.org/net/lvirden/>
>Even if explicitly stated to the contrary, nothing in this
>posting
>should be construed as representing my employer's opinions.
>
>
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
