SQL Injection, Database Error, offers.lendingtree.com, xss.cx, hoyt llc research, CWE-89, CAPEC-66, DORK, GHDB

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

Loading

Netsparker - Scan Report Summary
TARGET URL
http://offers.lendingtree.com/splitter/splitt...
SCAN DATE
4/23/2011 11:05:28 AM
REPORT DATE
4/23/2011 11:08:29 AM
SCAN DURATION
00:00:08

Total Requests

811

Average Speed

91.40 req/sec.
3
identified
1
confirmed
0
critical
1
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
Previous Settings
ENABLED ENGINES
Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
LOW
67 %
INFORMATION
33 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/splitter/splitter.ashx id GET Internal Server Error Yes
ASP.NET Version Disclosure No
IIS Version Disclosure No
Internal Server Error

Internal Server Error

1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /splitter/splitter.ashx

/splitter/splitter.ashx CONFIRMED

http://offers.lendingtree.com/splitter/splitter.ashx?id=%27;WAITFOR%20DELAY%20%270:0:25%27--&promo=0..

Parameters

Parameter Type Value
id GET ';WAITFOR DELAY '0:0:25'--
promo GET 00313
source GET 4666360
esourceid GET 4666360
800Num GET 1-800-289-1731'
adtype GET 2

Request

GET /splitter/splitter.ashx?id=%27;WAITFOR%20DELAY%20%270:0:25%27--&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731'&adtype=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: offers.lendingtree.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 23 Apr 2011 16:05:29 GMT
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Nickname: Cartman
X-Powered-By: ASP.NET
Content-Length: 56
Connection: keep-alive


The next configuration set in the chain cannot be found.
ASP.NET Version Disclosure

ASP.NET Version Disclosure

1 TOTAL
LOW
Netsparker identified that the target web server is disclosing ASP.NET version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks. It was leaked from X-AspNet-Version banner of HTTP response or default ASP.NET error page.

Impact

An attacker can use disclosed information to harvest specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or web server.

Remedy

Apply the following changes on your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses.
<System.Web>
     < httpRuntime enableVersionHeader="false" /> 
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

Remedy References

- /splitter/splitter.ashx

/splitter/splitter.ashx

http://offers.lendingtree.com/splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&es..

Extracted Version

2.0.50727

Request

GET /splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731'&adtype=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: offers.lendingtree.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 23 Apr 2011 16:05:25 GMT
Location: http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysflanding&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731%27&adtype=2
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Nickname: Cartman
X-Powered-By: ASP.NET
Content-Length: 288
Connection: keep-alive


<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysflanding&amp;promo=00313&amp;source=4666360&amp;esourceid=4666360&amp;800Num=1-800-289-1731%27&amp;adtype=2">here</a>.</h2>
</body></html>
IIS Version Disclosure

IIS Version Disclosure

1 TOTAL
INFORMATION
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /splitter/splitter.ashx

/splitter/splitter.ashx

http://offers.lendingtree.com/splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&es..

Extracted Version

Microsoft-IIS/7.5

Request

GET /splitter/splitter.ashx?id=msnhptext12111&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731'&adtype=2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: offers.lendingtree.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sat, 23 Apr 2011 16:05:25 GMT
Location: http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysflanding&promo=00313&source=4666360&esourceid=4666360&800Num=1-800-289-1731%27&adtype=2
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Nickname: Cartman
X-Powered-By: ASP.NET
Content-Length: 288
Connection: keep-alive


<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href="http://offers.lendingtree.com/splitter/splitter.ashx?id=displaysflanding&amp;promo=00313&amp;source=4666360&amp;esourceid=4666360&amp;800Num=1-800-289-1731%27&amp;adtype=2">here</a>.</h2>
</body></html>