SQL Injection, Database Error, run.admost.com, xss.cx, hoyt llc research, CWE-89, CAPEC-66, DORK, GHDB

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Bounty Hunting: NO BUGS = NO PAYMENT. Google Vulnerability Rewards Program as the example for payment terms and conditions.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, Google Hacking Database, DORK Search

CWE-79 XSS Crawler - XSS Engine
CWE-89 SQLi Crawler - SQLi Engine
CWE-113 HTTPi Crawler - HTTPi Engine
CWE-23 LFI, RFI Crawler - LFI, RFI Engine
Loading
Netsparker - Scan Report Summary
TARGET URL
 http://run.admost.com/adx/ZonePlanCounts.ashx...
SCAN DATE
 4/23/2011 12:45:24 PM
REPORT DATE
 4/23/2011 12:47:11 PM
SCAN DURATION
 00:00:14

Total Requests

228

Average Speed

15.60 req/sec.
9
identified
4
confirmed
1
critical
3
informational

GHDB, DORK Tests

GHDB, DORK Tests
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
11 %
MEDIUM
11 %
LOW
44 %
INFORMATION
33 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/ Forbidden Resource Yes
/adx/ZonePlanCounts.ashx siteId GET [Probable] SQL Injection No
siteId GET Internal Server Error Yes
ASP.NET Version Disclosure No
siteId GET Database Error Message No
siteId GET ASP.NET Stack Trace Disclosure No
/crossdomain.xml Open Policy Crossdomain.xml Identified Yes
/robots.txt IIS Version Disclosure No
Robots.txt Identified Yes
[Probable] SQL Injection

[Probable] SQL Injection
1 TOTAL
CRITICAL
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /adx/ZonePlanCounts.ashx

/adx/ZonePlanCounts.ashx

http://run.admost.com/adx/ZonePlanCounts.ashx?siteId=%2527

Parameters

Parameter Type Value
siteId GET %27

Request

GET /adx/ZonePlanCounts.ashx?siteId=%2527 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:56 GMT
ntCoent-Length: 7025
Content-Encoding:
Content-Length: 1664


<html>
<head>
<title>ORA-01722: ge&#231;ersiz sayı<br></title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/adx' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>ORA-01722: ge&#231;ersiz sayı<br></i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Data.OracleClient.OracleException: ORA-01722: ge&#231;ersiz sayı<br><br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[OracleException (0x80131938): ORA-01722: ge&#231;ersiz sayı]
System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc) +475430
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor&amp; rowidDescriptor, ArrayList&amp; resultParameterOrdinals) +1323
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList&amp; resultParameterOrdinals) +36
System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior) +320
System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior) +9
System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +21
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +325
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +420
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) +306
Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames) +770
Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +222
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +74
Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command) +90
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command) +60
Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context) +779
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +597
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) +266
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[OracleException]: ORA-01722: ge&#231;ersiz sayı
at System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor& rowidDescriptor, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command)
at Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->
Open Policy Crossdomain.xml Identified

Open Policy Crossdomain.xml Identified
1 TOTAL
MEDIUM
CONFIRMED
1
Netsparker identified Open Policy Crossdomain.xml file.

Impact

Open Policy Crossdomain.xml file allows other SWF files to make HTTP requests to your web server and see its response. This can be used for accessing one time tokens and CSRF nonces to bypass CSRF restrictions.

Remedy

Configure your Crossdomain.xml to prevent access from everywhere to your domain.

External References

- /crossdomain.xml

/crossdomain.xml CONFIRMED

http://run.admost.com/crossdomain.xml

Policy Rules

Request

GET /crossdomain.xml HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 18 Mar 2008 14:16:21 GMT
Accept-Ranges: bytes
ETag: "8efc3a3289c81:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:51 GMT
Cteonnt-Length: 205
Cache-Control: private
Content-Encoding:
Content-Length: 156


<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>
Internal Server Error

Internal Server Error
1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /adx/ZonePlanCounts.ashx

/adx/ZonePlanCounts.ashx CONFIRMED

http://run.admost.com/adx/ZonePlanCounts.ashx?siteId=%22%26%20ping%20-n%2026%20127.0.0.1%20%26

Parameters

Parameter Type Value
siteId GET "& ping -n 26 127.0.0.1 &

Request

GET /adx/ZonePlanCounts.ashx?siteId=%22%26%20ping%20-n%2026%20127.0.0.1%20%26 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:55 GMT
ntCoent-Length: 7025
Content-Encoding:
Content-Length: 1664


<html>
<head>
<title>ORA-01722: ge&#231;ersiz sayı<br></title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/adx' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>ORA-01722: ge&#231;ersiz sayı<br></i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Data.OracleClient.OracleException: ORA-01722: ge&#231;ersiz sayı<br><br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[OracleException (0x80131938): ORA-01722: ge&#231;ersiz sayı]
System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc) +475430
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor&amp; rowidDescriptor, ArrayList&amp; resultParameterOrdinals) +1323
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList&amp; resultParameterOrdinals) +36
System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior) +320
System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior) +9
System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +21
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +325
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +420
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) +306
Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames) +770
Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +222
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +74
Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command) +90
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command) +60
Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context) +779
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +597
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) +266
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[OracleException]: ORA-01722: ge&#231;ersiz sayı
at System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor& rowidDescriptor, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command)
at Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->
ASP.NET Version Disclosure

ASP.NET Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing ASP.NET version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks. It was leaked from X-AspNet-Version banner of HTTP response or default ASP.NET error page.

Impact

An attacker can use disclosed information to harvest specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or web server.

Remedy

Apply the following changes on your web.config file to prevent information leakage by using custom error pages and removing X-AspNet-Version from HTTP responses. 
<System.Web>
     < httpRuntime enableVersionHeader="false" /> 
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

Remedy References

- /adx/ZonePlanCounts.ashx

/adx/ZonePlanCounts.ashx

http://run.admost.com/adx/ZonePlanCounts.ashx?siteId=1245

Extracted Version

4.0.30319

Request

GET /adx/ZonePlanCounts.ashx?siteId=1245 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:50 GMT
ntCoent-Length: 108
Content-Encoding:
Content-Length: 101


var activeZones = {z2012:5,z2014:2,z2015:1,z2039:11,z2303:1,z2318:3,z2789:1,z2877:2,z3022:1,z3208:1,z3483:1}
Database Error Message

Database Error Message
1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /adx/ZonePlanCounts.ashx

/adx/ZonePlanCounts.ashx

http://run.admost.com/adx/ZonePlanCounts.ashx?siteId=%22%26%20ping%20-n%2026%20127.0.0.1%20%26

Parameters

Parameter Type Value
siteId GET "& ping -n 26 127.0.0.1 &

Request

GET /adx/ZonePlanCounts.ashx?siteId=%22%26%20ping%20-n%2026%20127.0.0.1%20%26 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:55 GMT
ntCoent-Length: 7025
Content-Encoding:
Content-Length: 1664


<html>
<head>
<title>ORA-01722: ge&#231;ersiz sayı<br></title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/adx' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>ORA-01722: ge&#231;ersiz sayı<br></i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Data.OracleClient.OracleException: ORA-01722: ge&#231;ersiz sayı<br><br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[OracleException (0x80131938): ORA-01722: ge&#231;ersiz sayı]
System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc) +475430
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor&amp; rowidDescriptor, ArrayList&amp; resultParameterOrdinals) +1323
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList&amp; resultParameterOrdinals) +36
System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior) +320
System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior) +9
System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +21
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +325
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +420
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) +306
Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames) +770
Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +222
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +74
Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command) +90
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command) +60
Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context) +779
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +597
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) +266
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[OracleException]: ORA-01722: ge&#231;ersiz sayı
at System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor& rowidDescriptor, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command)
at Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->
ASP.NET Stack Trace Disclosure

ASP.NET Stack Trace Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing ASP.NET stack trace data in the HTTP response.

Impact

An attacker can obtain information such as: This information can help an attacker to gain more information and to potentially focus the development of further attacks for the target system.

Remedy

Apply following changes on your web.config file to prevent information leakage by applying custom error pages. 
<System.Web>
     <customErrors mode="On" defaultRedirect="~/error/GeneralError.aspx">
          <error statusCode="403" redirect="~/error/Forbidden.aspx" />
          <error statusCode="404" redirect="~/error/PageNotFound.aspx" />
          <error statusCode="500" redirect="~/error/InternalError.aspx" />
     </customErrors>
</System.Web>

Remedy References

- /adx/ZonePlanCounts.ashx

/adx/ZonePlanCounts.ashx

http://run.admost.com/adx/ZonePlanCounts.ashx?siteId=%22%26%20ping%20-n%2026%20127.0.0.1%20%26

Parameters

Parameter Type Value
siteId GET "& ping -n 26 127.0.0.1 &

Request

GET /adx/ZonePlanCounts.ashx?siteId=%22%26%20ping%20-n%2026%20127.0.0.1%20%26 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:55 GMT
ntCoent-Length: 7025
Content-Encoding:
Content-Length: 1664


<html>
<head>
<title>ORA-01722: ge&#231;ersiz sayı<br></title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-family:"Verdana";font-weight:normal;color:black;margin-top: -5px}
b {font-family:"Verdana";font-weight:bold;color:black;margin-top: -5px}
H1 { font-family:"Verdana";font-weight:normal;font-size:18pt;color:red }
H2 { font-family:"Verdana";font-weight:normal;font-size:14pt;color:maroon }
pre {font-family:"Lucida Console";font-size: .9em}
.marker {font-weight: bold; color: black;text-decoration: none;}
.version {color: gray;}
.error {margin-bottom: 10px;}
.expandable { text-decoration:underline; font-weight:bold; color:navy; cursor:hand; }
</style>
</head>

<body bgcolor="white">

<span><H1>Server Error in '/adx' Application.<hr width=100% size=1 color=silver></H1>

<h2> <i>ORA-01722: ge&#231;ersiz sayı<br></i> </h2></span>

<font face="Arial, Helvetica, Geneva, SunSans-Regular, sans-serif ">

<b> Description: </b>An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

<br><br>

<b> Exception Details: </b>System.Data.OracleClient.OracleException: ORA-01722: ge&#231;ersiz sayı<br><br><br>

<b>Source Error:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code>

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>

</td>
</tr>
</table>

<br>

<b>Stack Trace:</b> <br><br>

<table width=100% bgcolor="#ffffcc">
<tr>
<td>
<code><pre>

[OracleException (0x80131938): ORA-01722: ge&#231;ersiz sayı]
System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc) +475430
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor&amp; rowidDescriptor, ArrayList&amp; resultParameterOrdinals) +1323
System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList&amp; resultParameterOrdinals) +36
System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior) +320
System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior) +9
System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) +21
System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +325
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) +420
System.Data.Common.DbDataAdapter.Fill(DataSet dataSet) +306
Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames) +770
Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +222
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames) +74
Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command) +90
Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command) +60
Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context) +779
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +597
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously) +266
</pre></code>

</td>
</tr>
</table>

<br>

<hr width=100% size=1 color=silver>

<b>Version Information:</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[OracleException]: ORA-01722: ge&#231;ersiz sayı
at System.Data.OracleClient.OracleConnection.CheckError(OciErrorHandle errorHandle, Int32 rc)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, Boolean needRowid, OciRowidDescriptor& rowidDescriptor, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.Execute(OciStatementHandle statementHandle, CommandBehavior behavior, ArrayList& resultParameterOrdinals)
at System.Data.OracleClient.OracleCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.OracleClient.OracleCommand.ExecuteDbDataReader(CommandBehavior behavior)
at System.Data.Common.DbCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.FillInternal(DataSet dataset, DataTable[] datatables, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior)
at System.Data.Common.DbDataAdapter.Fill(DataSet dataSet)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.DoLoadDataSet(IDbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.LoadDataSet(DbCommand command, DataSet dataSet, String[] tableNames)
at Microsoft.Practices.EnterpriseLibrary.Data.Database.ExecuteDataSet(DbCommand command)
at Microsoft.Practices.EnterpriseLibrary.Data.Oracle.OracleDatabase.ExecuteDataSet(DbCommand command)
at Adserver.BannerHandler.ZonePlanCounts.ProcessRequest(HttpContext context)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->
Forbidden Resource

Forbidden Resource
1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /

/ CONFIRMED

http://run.admost.com/

Request

GET / HTTP/1.1
Referer: http://run.admost.com/adx/ZonePlanCounts.ashx?siteId=1245
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Forbidden
Content-Type: text/html
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:50 GMT
Content-Length: 1233


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>403 - Forbidden: Access is denied.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>403 - Forbidden: Access is denied.</h2>
<h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
</fieldset></div>
</div>
</body>
</html>
IIS Version Disclosure

IIS Version Disclosure
1 TOTAL
INFORMATION
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /robots.txt

/robots.txt

http://run.admost.com/robots.txt

Extracted Version

Microsoft-IIS/7.5

Request

GET /robots.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 15 Apr 2010 11:25:05 GMT
Accept-Ranges: bytes
ETag: "f83d214c8edcca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:51 GMT
Cteonnt-Length: 30
Cache-Control: private
Content-Encoding:
Content-Length: 50


User-agent: *
Disallow: /

Robots.txt Identified

Robots.txt Identified
1 TOTAL
INFORMATION
CONFIRMED
1
Netsparker identified a possibly sensitive Robots.txt file with potentially sensitive content.

Impact

Depending on the content of the file, an attacker might discover hidden directories. Ensure that you have got nothing sensitive exposed within this folder such as the path of the administration panel.

Remedy

- /robots.txt

/robots.txt CONFIRMED

http://run.admost.com/robots.txt

Interesting Robots.txt Entries

Request

GET /robots.txt HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: run.admost.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Thu, 15 Apr 2010 11:25:05 GMT
Accept-Ranges: bytes
ETag: "f83d214c8edcca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sat, 23 Apr 2011 17:44:51 GMT
Cteonnt-Length: 30
Cache-Control: private
Content-Encoding:
Content-Length: 50


User-agent: *
Disallow: /