AOL Provided Programs

[MSHINES () freh-02 adpc purdue edu (Michael S. Hines)]

Jim Littlefield says --
> Something to remember is that AOL provides a program for users to use when
> dialing in. A bad security hole would exist if this program supports any
> "magic" headers, etc.
>
> Just my $0.02.
>
> --

Has anyone reverse engineered the program(s - DOS/WIN/MAC versions) to
develop an "Undocumented AOL"?

Should be able to identify any magic doors provided.

One other possible exposure - with AOL it is possible to set an option to
"expand on exit" which calls their EXPAND program to expand compressed
transfers.  This program could make the mistake of also executing a file
transferred (I don't think it does) before you have a chance to apply your
favorite virus scanner to it.

Isn't life in the fast lane fun!


----------------------------------------------------------------------
Internet:  mshines () ia purdue edu      |  Michael S. Hines
Bitnet:    michaelh@purccvm           |  Sr. Information Systems Auditor
Purdue WIZARD Mail: MSHINES           |  Purdue University
GTE Net Voice: (317) 494-5845         |  1065 Freehafer Hall
GTE Net FAX:   (317) 496-1814         |  West Lafayette, IN 47907-1065
CompuServe: 73240,1631                |