www.bannerspace.com, XSS, GHDB DORK REPORT SUMMARY

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

Loading
Netsparker - Scan Report Summary
TARGET URL
 http://www.bannerspace.com/asp/application.as...
SCAN DATE
 5/4/2011 8:03:56 PM
REPORT DATE
 5/4/2011 8:09:18 PM
SCAN DURATION
 00:03:04

Total Requests

2977

Average Speed

16.14 req/sec.
8
identified
3
confirmed
2
critical
3
informational

SCAN SETTINGS

Scan Settings
PROFILE
 Previous Settings
ENABLED ENGINES
 Blind SQL Injection, Boolean SQL Injection, SQL Injection
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
25 %
IMPORTANT
13 %
LOW
25 %
INFORMATION
38 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/areadirect/advertiser_login.htm Password Transmitted Over HTTP Yes
Auto Complete Enabled Yes
/asp/ Forbidden Resource Yes
/asp/application.asp Database Error Message No
IIS Version Disclosure No
/asp/edit_creative.asp CID GET [Probable] SQL Injection No
CNum GET [Probable] SQL Injection No
/pr_030804.htm E-mail Address Disclosure No
[Probable] SQL Injection

[Probable] SQL Injection
2 TOTAL
CRITICAL
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /asp/edit_creative.asp

/asp/edit_creative.asp

http://www.bannerspace.com/asp/edit_creative.asp?CID=%2527&CNum=10

Parameters

Parameter Type Value
CID GET %27
CNum GET 10

Request

GET /asp/edit_creative.asp?CID=%2527&CNum=10 HTTP/1.1
Referer: http://www.bannerspace.com/advertiser/traffic_summary_example.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 20:10:53 GMT
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked



<html>
<head>
<title>BannerSpace.com, Internet Advertising Solutions.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript" language="javascript" src="/resources/sniffer.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/custom.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/style.js"></script>
<link rel="stylesheet" href="/styles/main.css">
<style type="text/css" media="all">@import "/styles/main.css";</style>
<style>
<!--
input {background-color: #fede01; font-family: verdana; font-weight: normal; color: #800000; font-size: 8pt; border: 1px solid;}
select {background-color: #fede01; font-family: verdana; font-weight: normal; color: #800000; font-size: 8pt;}
input.but1 {background-color: #c0c0c0; font-family: arial; font-weight: normal; color: #000000; font-size: 10pt;}
input.but2 {background-color: ##fede01; font-family: verdana; font-weight: bold; color: #800000; font-size: 9pt;}
input.cb {background-color: #808080; font-size: 8pt; foreground-color: #808080; border: none;}
input.cb3 {background-color: #c0c0c0; font-size: 8pt; border: none;}

-->
</style>
<!-- Roll-over script -->
<script language=JavaScript>
agent = navigator.userAgent;
version = "no";
if (agent.substring(0,7) == "Mozilla")
{
if (parseInt(agent.substring(8,9)) >=3)
{
version = "ok";}
}
if (version == "ok")
{
/*var imagea = new Image();
imagea.src = '/images/line04.gif';
var imageb = new Image();
imageb.src = '/images/bs_top4a.gif';
var imagec = new Image();
imagec.src = '/images/bridge4b.gif'; */

b0 = new Image();
b0.src = "/images/home.gif";
b0on = new Image();
b0on.src = "/images/home_on.gif";
b1 = new Image();
b1.src = "/images/adv.gif";
b1on = new Image();
b1on.src = "/images/adv_on.gif";
b2 = new Image();
b2.src = "/images/pub.gif";
b2on = new Image();
b2on.src = "/images/pub_on.gif";
b3 = new Image();
b3.src = "/images/cre.gif";
b3on = new Image();
b3on.src = "/images/cre_on.gif";
b4 = new Image();
b4.src = "/images/adserv.gif";
b4on = new Image();
b4on.src = "/images/adserv_on.gif";
b5 = new Image();
b5.src = "/images/login.gif";
b5on = new Image();
b5on.src = "/images/login_on.gif";
b6 = new Image();
b6.src = "/images/contact.gif";
b6on = new Image();
b6on.src = "/images/contact_on.gif";
b7 = new Image();
b7.src = "/images/l_ea.gif";
b7on = new Image();
b7on.src = "/images/l_ea_on.gif";
b8 = new Image();
b8.src = "/images/l_res.gif";
b8on = new Image();
b8on.src = "/images/l_res_on.gif";
b9 = new Image();
b9.src = "/images/l_mc.gif";
b9on = new Image();
b9on.src = "/images/l_mc_on.gif";
b10 = new Image();
b10.src = "/images/l_lo.gif";
b10on = new Image();
b10on.src = "/images/l_lo_on.gif";
}
function change_image(imgDocID,imgObjName)
{
if (version == "ok")
{
//alert("imgDocID = "+imgDocID+", imgObjName = " + imgObjName);
document.images[imgDocID].src = eval(imgObjName + ".src");
}
}
function viewAd(CID,MName,CNum,w,h,Type,URL) {
var ext = '.gif';
if (Type == 'Pop-Under') ext = '.asp';
if (Type == 'HTML') ext = '.asp';
var viewURL;
viewURL = 'http://www3.bannerspace.com/adimages/' + CID + CNum + ext;
if (URL != '') viewURL = URL;
viewWin = window.open(viewURL,'viewWin','width=' + w + ',height=' + h + ',directories=no,location=no,menubar=no,scrollbars=no,status=no,toolbar=no,resizable=no,marginwidth=0');
viewWin.focus;
}
</script>
<!-- End of rollover script-->


<!-- This positions the dropdown menu -->
<script language="javascript">
var imgObj;
function over(imgNum)
{
if(menuReadyState)
{
imgObj = document.images["b"+imgNum];
xPos = getRealLeft(imgObj);
yPos = getRealTop(imgObj);
activateMenu(imgNum,xPos+0,yPos+imgObj.height+0);
}
}
</script>
<!-- End of Drop Down Menu positioning -->
<script language="javascript">
function logOut() {
var p = '';
expires = new Date();
expires.setDate(expires.getDate() -1);
document.cookie = "bscp" + "=" + p + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.cookie = "bscid" + "=" + '' + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.location = "/login/advertiser_login.htm";
}
</script>
</HEAD>
<BODY background="/images/line04.gif" topMargin=0><BR>
<TABLE bgColor=#800000 border=0 cellPadding=0 cellSpacing=0
style="BORDER-BOTTOM: rgb(128,0,0) 3px solid; BORDER-LEFT: rgb(128,0,0) 3px solid; BORDER-RIGHT: rgb(128,0,0) 3px solid; BORDER-TOP: rgb(128,0,0) 3px solid"
width=700 align=left>
<TR>
<TD align=right bgColor=#ffffff colSpan=2><IMG
alt="Internet advertising solutions." height=70
src="/images/bs_top4a.gif" width=700></TD></TR>
<TR>
<TD align=center bgColor=#608080 vAlign=center colspan=2><a href="/home.htm" height="20" width="100" onmouseover="change_image('b0', 'b0on'); return true" onmouseout="change_image('b0', 'b0'); return true"><img src="/images/home.gif" name="b0" width=100 height=20 alt="" border=0></a><a href="/advertiser/advertiser_overview.htm" height="20" width="100" onmouseover="over(1); change_image('b1', 'b1on'); return true" onmouseout="deactivateMenus(false); change_image('b1', 'b1'); return true"><img src="/images/adv.gif" name="b1" width=100 height=20 alt="" border=0></a><a href="/publisher/publisher_overview.htm" height="20" width="100" onmouseover="over(2); change_image('b2', 'b2on'); return true" onmouseout="deactivateMenus(false); change_image('b2', 'b2'); return true"><img src="/images/pub.gif" name="b2" width=100 height=20 alt="" border=0></a><a href="/creative/creative_development.htm" height="20" width="100" onmouseover="over(3); change_image('b3', 'b3on'); return true" onmouseout="deactivateMenus(false); change_image('b3', 'b3'); return true"><img src="/images/cre.gif" name="b3" width=100 height=20 alt="" border=0></a><a href="/adserving/adserving_overview.htm" height="20" width="100" onmouseover="over(4); change_image('b4', 'b4on'); return true" onmouseout="deactivateMenus(false); change_image('b4', 'b4'); return true"><img src="/images/adserv.gif" name="b4" width=100 height=20 alt="" border=0></a><a href="/login/login_overview.htm" height="20" width="100" onmouseover="over(5); change_image('b5', 'b5on'); return true" onmouseout="deactivateMenus(false); change_image('b5', 'b5'); return true"><img src="/images/login.gif" name="b5" width=100 height=20 alt="" border=0></a><a href="/contact.htm" height="20" width="100" onmouseover="change_image('b6', 'b6on'); return true" onmouseout="change_image('b6', 'b6'); return true"><img src="/images/contact.gif" name="b6" width=100 height=20 alt="" border=0></a></TD>
</TR>
<TR>
<TD width=214>
<TABLE border=0 cellPadding=0 cellSpacing=0 width=698 align=center>
<TR>
<TD bgColor="#D1D1D1" vAlign=top align=center height=40><img src="/images/top_mc_data.gif" width="700" height="40"></td>
</tr>
<tr>
<td align="center"bgcolor="#D1D1D1" style="padding-left: 5px; padding-right: 5px;">
<!-- Big Content -->
<font face="Arial" size=2><p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80004005'</font><p><font face="Arial" size=2>[Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified</font><p><font face="Arial" size=2>/asp/edit_creative.asp</font><font face="Arial" size=2>, line 165</font>
- /asp/edit_creative.asp

/asp/edit_creative.asp

http://www.bannerspace.com/asp/edit_creative.asp?CID=1139&CNum=%2527

Parameters

Parameter Type Value
CID GET 1139
CNum GET %27

Request

GET /asp/edit_creative.asp?CID=1139&CNum=%2527 HTTP/1.1
Referer: http://www.bannerspace.com/advertiser/traffic_summary_example.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 20:10:59 GMT
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/html
Cache-control: private
Transfer-Encoding: chunked



<html>
<head>
<title>BannerSpace.com, Internet Advertising Solutions.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript" language="javascript" src="/resources/sniffer.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/custom.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/style.js"></script>
<link rel="stylesheet" href="/styles/main.css">
<style type="text/css" media="all">@import "/styles/main.css";</style>
<style>
<!--
input {background-color: #fede01; font-family: verdana; font-weight: normal; color: #800000; font-size: 8pt; border: 1px solid;}
select {background-color: #fede01; font-family: verdana; font-weight: normal; color: #800000; font-size: 8pt;}
input.but1 {background-color: #c0c0c0; font-family: arial; font-weight: normal; color: #000000; font-size: 10pt;}
input.but2 {background-color: ##fede01; font-family: verdana; font-weight: bold; color: #800000; font-size: 9pt;}
input.cb {background-color: #808080; font-size: 8pt; foreground-color: #808080; border: none;}
input.cb3 {background-color: #c0c0c0; font-size: 8pt; border: none;}

-->
</style>
<!-- Roll-over script -->
<script language=JavaScript>
agent = navigator.userAgent;
version = "no";
if (agent.substring(0,7) == "Mozilla")
{
if (parseInt(agent.substring(8,9)) >=3)
{
version = "ok";}
}
if (version == "ok")
{
/*var imagea = new Image();
imagea.src = '/images/line04.gif';
var imageb = new Image();
imageb.src = '/images/bs_top4a.gif';
var imagec = new Image();
imagec.src = '/images/bridge4b.gif'; */

b0 = new Image();
b0.src = "/images/home.gif";
b0on = new Image();
b0on.src = "/images/home_on.gif";
b1 = new Image();
b1.src = "/images/adv.gif";
b1on = new Image();
b1on.src = "/images/adv_on.gif";
b2 = new Image();
b2.src = "/images/pub.gif";
b2on = new Image();
b2on.src = "/images/pub_on.gif";
b3 = new Image();
b3.src = "/images/cre.gif";
b3on = new Image();
b3on.src = "/images/cre_on.gif";
b4 = new Image();
b4.src = "/images/adserv.gif";
b4on = new Image();
b4on.src = "/images/adserv_on.gif";
b5 = new Image();
b5.src = "/images/login.gif";
b5on = new Image();
b5on.src = "/images/login_on.gif";
b6 = new Image();
b6.src = "/images/contact.gif";
b6on = new Image();
b6on.src = "/images/contact_on.gif";
b7 = new Image();
b7.src = "/images/l_ea.gif";
b7on = new Image();
b7on.src = "/images/l_ea_on.gif";
b8 = new Image();
b8.src = "/images/l_res.gif";
b8on = new Image();
b8on.src = "/images/l_res_on.gif";
b9 = new Image();
b9.src = "/images/l_mc.gif";
b9on = new Image();
b9on.src = "/images/l_mc_on.gif";
b10 = new Image();
b10.src = "/images/l_lo.gif";
b10on = new Image();
b10on.src = "/images/l_lo_on.gif";
}
function change_image(imgDocID,imgObjName)
{
if (version == "ok")
{
//alert("imgDocID = "+imgDocID+", imgObjName = " + imgObjName);
document.images[imgDocID].src = eval(imgObjName + ".src");
}
}
function viewAd(CID,MName,CNum,w,h,Type,URL) {
var ext = '.gif';
if (Type == 'Pop-Under') ext = '.asp';
if (Type == 'HTML') ext = '.asp';
var viewURL;
viewURL = 'http://www3.bannerspace.com/adimages/' + CID + CNum + ext;
if (URL != '') viewURL = URL;
viewWin = window.open(viewURL,'viewWin','width=' + w + ',height=' + h + ',directories=no,location=no,menubar=no,scrollbars=no,status=no,toolbar=no,resizable=no,marginwidth=0');
viewWin.focus;
}
</script>
<!-- End of rollover script-->


<!-- This positions the dropdown menu -->
<script language="javascript">
var imgObj;
function over(imgNum)
{
if(menuReadyState)
{
imgObj = document.images["b"+imgNum];
xPos = getRealLeft(imgObj);
yPos = getRealTop(imgObj);
activateMenu(imgNum,xPos+0,yPos+imgObj.height+0);
}
}
</script>
<!-- End of Drop Down Menu positioning -->
<script language="javascript">
function logOut() {
var p = '';
expires = new Date();
expires.setDate(expires.getDate() -1);
document.cookie = "bscp" + "=" + p + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.cookie = "bscid" + "=" + '' + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.location = "/login/advertiser_login.htm";
}
</script>
</HEAD>
<BODY background="/images/line04.gif" topMargin=0><BR>
<TABLE bgColor=#800000 border=0 cellPadding=0 cellSpacing=0
style="BORDER-BOTTOM: rgb(128,0,0) 3px solid; BORDER-LEFT: rgb(128,0,0) 3px solid; BORDER-RIGHT: rgb(128,0,0) 3px solid; BORDER-TOP: rgb(128,0,0) 3px solid"
width=700 align=left>
<TR>
<TD align=right bgColor=#ffffff colSpan=2><IMG
alt="Internet advertising solutions." height=70
src="/images/bs_top4a.gif" width=700></TD></TR>
<TR>
<TD align=center bgColor=#608080 vAlign=center colspan=2><a href="/home.htm" height="20" width="100" onmouseover="change_image('b0', 'b0on'); return true" onmouseout="change_image('b0', 'b0'); return true"><img src="/images/home.gif" name="b0" width=100 height=20 alt="" border=0></a><a href="/advertiser/advertiser_overview.htm" height="20" width="100" onmouseover="over(1); change_image('b1', 'b1on'); return true" onmouseout="deactivateMenus(false); change_image('b1', 'b1'); return true"><img src="/images/adv.gif" name="b1" width=100 height=20 alt="" border=0></a><a href="/publisher/publisher_overview.htm" height="20" width="100" onmouseover="over(2); change_image('b2', 'b2on'); return true" onmouseout="deactivateMenus(false); change_image('b2', 'b2'); return true"><img src="/images/pub.gif" name="b2" width=100 height=20 alt="" border=0></a><a href="/creative/creative_development.htm" height="20" width="100" onmouseover="over(3); change_image('b3', 'b3on'); return true" onmouseout="deactivateMenus(false); change_image('b3', 'b3'); return true"><img src="/images/cre.gif" name="b3" width=100 height=20 alt="" border=0></a><a href="/adserving/adserving_overview.htm" height="20" width="100" onmouseover="over(4); change_image('b4', 'b4on'); return true" onmouseout="deactivateMenus(false); change_image('b4', 'b4'); return true"><img src="/images/adserv.gif" name="b4" width=100 height=20 alt="" border=0></a><a href="/login/login_overview.htm" height="20" width="100" onmouseover="over(5); change_image('b5', 'b5on'); return true" onmouseout="deactivateMenus(false); change_image('b5', 'b5'); return true"><img src="/images/login.gif" name="b5" width=100 height=20 alt="" border=0></a><a href="/contact.htm" height="20" width="100" onmouseover="change_image('b6', 'b6on'); return true" onmouseout="change_image('b6', 'b6'); return true"><img src="/images/contact.gif" name="b6" width=100 height=20 alt="" border=0></a></TD>
</TR>
<TR>
<TD width=214>
<TABLE border=0 cellPadding=0 cellSpacing=0 width=698 align=center>
<TR>
<TD bgColor="#D1D1D1" vAlign=top align=center height=40><img src="/images/top_mc_data.gif" width="700" height="40"></td>
</tr>
<tr>
<td align="center"bgcolor="#D1D1D1" style="padding-left: 5px; padding-right: 5px;">
<!-- Big Content -->
<font face="Arial" size=2><p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80004005'</font><p><font face="Arial" size=2>[Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified</font><p><font face="Arial" size=2>/asp/edit_creative.asp</font><font face="Arial" size=2>, line 165</font>
Password Transmitted Over HTTP

Password Transmitted Over HTTP
1 TOTAL
IMPORTANT
CONFIRMED
1
Netsparker identified that password data is sent over HTTP.

Impact

If an attacker can intercept network traffic he/she can steal users credentials.

Actions to Take

  1. See the remedy for solution.
  2. Move all of your critical forms and pages to HTTPS and do not serve them over HTTP.

Remedy

All sensitive data should be transferred over HTTPS rather than HTTP. Forms should be served over HTTPS. All aspects of the application that accept user input starting from the login process should only be served over HTTPS.
- /areadirect/advertiser_login.htm

/areadirect/advertiser_login.htm CONFIRMED

http://www.bannerspace.com/areadirect/advertiser_login.htm

Form target action

main.asp

Request

GET /areadirect/advertiser_login.htm HTTP/1.1
Referer: http://www.bannerspace.com/asp/client_update.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Wed, 04 May 2011 20:10:40 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Sat, 28 Feb 2004 05:00:00 GMT
ETag: "088bdb7b7fdc31:2de4"
Content-Length: 12887


<html>
<head>
<title>BannerSpace.com, Internet Advertising Solutions.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script>
var doCookie = 1;
</script>
<script type="text/javascript" language="javascript" src="/resources/sniffer.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/custom.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/style.js"></script>
<link rel="stylesheet" href="/styles/main.css">
<style type="text/css" media="all">@import "/styles/main.css";</style>
<style>
<!--
input {background-color: #fede01; font-family: verdana; font-weight: bold; color: #800000; font-size: 8pt;}
input.but1 {background-color: #c0c0c0; font-family: arial; font-weight: normal; color: #000000; font-size: 10pt;}
input.but2 {background-color: #c0c0c0; font-family: arial; font-weight: bold; color: #800000; font-size: 10pt;}
input.cb {background-color: #808080;}
-->
</style>
<!-- Roll-over script -->
<script language=JavaScript>
agent = navigator.userAgent;
version = "no";
if (agent.substring(0,7) == "Mozilla")
{
if (parseInt(agent.substring(8,9)) >=3)
{
version = "ok";}
}
if (version == "ok")
{
/*var imagea = new Image();
imagea.src = '/images/line04.gif';
var imageb = new Image();
imageb.src = '/images/bs_top4a.gif';
var imagec = new Image();
imagec.src = '/images/bridge4b.gif'; */

b0 = new Image();
b0.src = "/images/home.gif";
b0on = new Image();
b0on.src = "/images/home_on.gif";
b1 = new Image();
b1.src = "/images/adv.gif";
b1on = new Image();
b1on.src = "/images/adv_on.gif";
b2 = new Image();
b2.src = "/images/pub.gif";
b2on = new Image();
b2on.src = "/images/pub_on.gif";
b3 = new Image();
b3.src = "/images/cre.gif";
b3on = new Image();
b3on.src = "/images/cre_on.gif";
b4 = new Image();
b4.src = "/images/adserv.gif";
b4on = new Image();
b4on.src = "/images/adserv_on.gif";
b5 = new Image();
b5.src = "/images/login.gif";
b5on = new Image();
b5on.src = "/images/login_on.gif";
b6 = new Image();
b6.src = "/images/contact.gif";
b6on = new Image();
b6on.src = "/images/contact_on.gif";
b7 = new Image();
b7.src = "/images/l_ea.gif";
b7on = new Image();
b7on.src = "/images/l_ea_on.gif";
b8 = new Image();
b8.src = "/images/l_res.gif";
b8on = new Image();
b8on.src = "/images/l_res_on.gif";
b9 = new Image();
b9.src = "/images/l_mc.gif";
b9on = new Image();
b9on.src = "/images/l_mc_on.gif";
b10 = new Image();
b10.src = "/images/l_lo.gif";
b10on = new Image();
b10on.src = "/images/l_lo_on.gif";
}
function change_image(imgDocID,imgObjName)
{
if (version == "ok")
{
//alert("imgDocID = "+imgDocID+", imgObjName = " + imgObjName);
document.images[imgDocID].src = eval(imgObjName + ".src");
}
}
</script>
<!-- End of rollover script-->

<!-- This positions the dropdown menu -->
<script language="javascript">
var imgObj;
function over(imgNum)
{
if(menuReadyState)
{
imgObj = document.images["b"+imgNum];
xPos = getRealLeft(imgObj);
yPos = getRealTop(imgObj);
activateMenu(imgNum,xPos+0,yPos+imgObj.height+0);
}
}
</script>
<!-- End of Drop Down Menu positioning -->
<!-- Login Script -->
<script language=javascript type="text/javascript">
<!--
function GetCookie() {
var cp;
cp = findCookie('bscp');
if (cp != null) {
document.excelReport.P.value = cp;
if (document.excelReport.P.value == "null") {
document.excelReport.remember.checked = false;
document.excelReport.P.value = "";
}
}
cp = findCookie('bscid');
if (cp != null) {
document.excelReport.CID.value = cp;
if (document.excelReport.CID.value == "null") {
document.excelReport.remember.checked = false;
document.excelReport.CID.value = "";
}
}
cp = findCookie('crem');
if (cp == 1) {document.excelReport.remember.checked = true;}
}
function findCookie(c) {
var cname = c + "=";
var dc = document.cookie;
if (dc.length > 0) {
begin = dc.indexOf(cname);
if (begin != -1) {
begin += cname.length;
end = dc.indexOf(";", begin);
if (end == -1) end = dc.length;
var retVal = unescape(dc.substring(begin, end));
return retVal;
}
}
return null;
}
function SetCookie() {
var p;
p = document.excelReport.P.value;
expires = new Date();
if (document.excelReport.remember.checked) {
expires.setDate(expires.getDate() + 1000);
document.cookie = "bscp" + "=" + p + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.cookie = "bscid" + "=" + document.excelReport.CID.value + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.cookie = "crem" + "=" + "1" + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
} else {
document.cookie = "bscp" + "=" + p + "; domain=" + ".bannerspace.com" + "; path=/;"
document.cookie = "bscid" + "=" + document.excelReport.CID.value + "; domain=" + ".bannerspace.com" + "; path=/;"
document.cookie = "crem" + "=" + "0" + "; domain=" + ".bannerspace.com" + "; path=/;"
}
document.excelReport.submit();
}
// -->
</script>
<!-- End of Login Script-->
</HEAD>
<BODY topMargin=0 background="/images/line04.gif">
<BR>
<TABLE bgColor=#800000 border=0 cellPadding=0 cellSpacing=0
style="BORDER-BOTTOM: rgb(128,0,0) 3px solid; BORDER-LEFT: rgb(128,0,0) 3px solid; BORDER-RIGHT: rgb(128,0,0) 3px solid; BORDER-TOP: rgb(128,0,0) 3px solid"
width=700 align=left>
<TR>
<TD align=right bgColor=#ffffff colSpan=2><IMG
alt="Internet advertising solutions." height=70
src="/images/bs_top4a.gif" width=700></TD></TR>
<TR>
<TD align=center bgColor=#608080 vAlign=center colspan=2><a href="/home.htm" height="20" width="100" onmouseover="change_image('b0', 'b0on'); return true" onmouseout="change_image('b0', 'b0'); return true"><img src="/images/home.gif" name="b0" width=100 height=20 alt="" border=0></a><a href="/advertiser/advertiser_overview.htm" height="20" width="100" onmouseover="over(1); change_image('b1', 'b1on'); return true" onmouseout="deactivateMenus(false); change_image('b1', 'b1'); return true"><img src="/images/adv.gif" name="b1" width=100 height=20 alt="" border=0></a><a href="/publisher/publisher_overview.htm" height="20" width="100" onmouseover="over(2); change_image('b2', 'b2on'); return true" onmouseout="deactivateMenus(false); change_image('b2', 'b2'); return true"><img src="/images/pub.gif" name="b2" width=100 height=20 alt="" border=0></a><a href="/creative/creative_development.htm" height="20" width="100" onmouseover="over(3); change_image('b3', 'b3on'); return true" onmouseout="deactivateMenus(false); change_image('b3', 'b3'); return true"><img src="/images/cre.gif" name="b3" width=100 height=20 alt="" border=0></a><a href="/adserving/adserving_overview.htm" height="20" width="100" onmouseover="over(4); change_image('b4', 'b4on'); return true" onmouseout="deactivateMenus(false); change_image('b4', 'b4'); return true"><img src="/images/adserv.gif" name="b4" width=100 height=20 alt="" border=0></a><a href="/login/login_overview.htm" height="20" width="100" onmouseover="over(5); change_image('b5', 'b5on'); return true" onmouseout="deactivateMenus(false); change_image('b5', 'b5'); return true"><img src="/images/login.gif" name="b5" width=100 height=20 alt="" border=0></a><a href="/contact.htm" height="20" width="100" onmouseover="change_image('b6', 'b6on'); return true" onmouseout="change_image('b6', 'b6'); return true"><img src="/images/contact.gif" name="b6" width=100 height=20 alt="" border=0></a></TD>
</TR>
<TR>
<TD bgColor=#000000 style="BORDER: #000000 2px solid" width=214>
<TABLE border=0 cellPadding=0 cellSpacing=0 width=698 align=center>
<TR>
<TD bgColor=#d1d1d1 colSpan=2 width=698><IMG alt=advertise height=20
src="/images/sec_top_rep1.gif" width=700></TD></TR>
<TR>
<TD bgColor=#999999 vAlign=top width=138><!--<a href="/asp/client_update.asp" height="18" width="150" onmouseover="change_image('b7', 'b7on'); return true" onmouseout="change_image('b7', 'b7'); return true"><IMG name="b7" height=18 src="/images/l_ea.gif" width=150 BORDER=0></a><BR><a href="#" height="18" width="150" onmouseover="change_image('b9', 'b9on'); return true" onmouseout="change_image('b9', 'b9'); return true"><IMG name="b9" height=18 src="/images/l_mc.gif" width=150 BORDER=0></a><BR><a href="#" height="18" width="150" onmouseover="change_image('b10', 'b10on'); return true" onmouseout="change_image('b10', 'b10'); return true"><IMG name="b10" height=18 src="/images/l_lo.gif" width=150 BORDER=0></a><BR><a href="advertiser_reports.asp" height="18" width="150" onmouseover="change_image('b8', 'b8on'); return true" onmouseout="change_image('b8', 'b8'); return true"><IMG name="b8" height=18 src="/images/l_res.gif" width=150 BORDER=0></a> --><IMG height=18 src="/images/l_bot_blank.gif" width=150 BORDER=0><BR><BR><table cellpadding=0 cellspacing=0 border=0 align=center width=128 height=128>
<tr>
<td>
<!-- SMALL CONTENT OR 125x125 GRAPHIC HERE -->
</td>
</tr>
</table><br>
</td>
<td width="560" bgcolor="#D1D1D1" valign="top" align="left"><!-- LARGE CONTENT HERE --><form method="POST" name="excelReport" action="main.asp" align="left">
<table cellSpacing="0" cellPadding="0" width="540" height="300" class="cont1">
<tr>
<td valign="top"><img src="/images/top_re.gif" width="550" height="40"><br>
<table border="0" cellpadding="0" cellspacing="0" width="490" align="center">
<tr>
<td valign="top" align="left"><br>
<br>
</td>
</tr>
<tr>
<td valign="middle" align="left" height="178" bgcolor="#C0C0C0" style="border: 1 solid rgb(0,0,0); padding-left: 50"><font color="#80000" face="Arial"><strong>Advertiser Login</strong></font><table border="0" cellpadding="0" cellspacing="1" width="350" style="border-left: 2 solid rgb(128,0,0); border-right: 2 groove rgb(128,0,0); border-top: 2 double rgb(128,0,0); border-bottom: 2 outset rgb(128,0,0)"
bgcolor="#C0C0C0">
<tr>
<td bgcolor="#800000" style="padding-right: 2px" align="right"><font face="Arial" size="2"
color="#FFFFFF">Client ID:</font></td>
<td bgcolor="#808080"><input type="text" name="CID" size="20"> </td>
</tr>
<tr>
<td bgcolor="#800000" style="padding-right: 2px" align="right"><font face="Arial" size="2"
color="#FFFFFF">Password:</font></td>
<td bgcolor="#808080"><input type="Password" name="P" size="20"></td>
</tr>
<tr>
<td bgcolor="#800000" style="padding-right: 2px" align="right"></td>
<td bgcolor="#808080"><input type="button" value="Login" name="Login" class="but2" onClick="SetCookie();">
&nbsp;<input type=checkbox class=cb name=remember value="on"><font color=#FFFFFF><small><small>Remember Me</small></small></font>
</td></tr></table></td></tr></table></td></tr></table></form><!-- End of Large Content -->
</td>
</tr>
</table>
</td>
</tr>
<tr>
<TD align=middle bgColor=#800000 colSpan=2 height=30 style="PADDING-LEFT: 4px" vAlign=center width=702><font face=Arial color=#fede01 size=2><a href="/home.htm" class="do">&nbsp;Home&nbsp;</a>|<a href="http://www.bannerspace.com/advertiser/advertiser_overview.htm" class="do">&nbsp;Advertisers&nbsp;</a>|<a href="http://www.bannerspace.com/publisher/publisher_overview.htm" class="do">&nbsp;Publishers&nbsp;</a>|<a href="http://www.bannerspace.com/creative/creative_development.htm" class="do">&nbsp;Creative&nbsp;</a>|<a href="http://www.bannerspace.com/adserving/adserving_overview.htm" class="do">&nbsp;Ad Serving&nbsp;</a>|<a href="http://www.bannerspace.com/login/login_overview.htm" class="do">&nbsp;Login&nbsp;</a>|<a href="http://www.bannerspace.com/privacy.htm" class="do">&nbsp;Privacy&nbsp;</a>|<a href="http://www.bannerspace.com/contact.htm" class="do">&nbsp;Contact&nbsp;</a><br>
<small>Copyright &#169; 1998 - <script>crdate()</script><noscript>2006</noscript>, BannerSpace.com, Inc.</small>
</font></TD>
</tr>
</table>
<!-- dropdown menu call -->
<script type="text/javascript" language="javascript1.2" src="/resources/menu.js"></script>
<!-- /dropdown menu call -->
</BODY></HTML>
Auto Complete Enabled

Auto Complete Enabled
1 TOTAL
LOW
CONFIRMED
1
"Auto Complete" was enabled in one or more of the form fields. These were either "password" fields or important fields such as "Credit Card".

Impact

Data entered in these fields will be cached by the browser. An attacker who can access the victim's browser could steal this information. This is especially important if the application is commonly used in shared computers such as cyber cafes or airport terminals.

Remedy

Add the attribute autocomplete="off" to the form tag or to individual "input" fields.

Actions to Take

  1. See the remedy for the solution.
  2. Find all instances of inputs which store private data and disable autocomplete. Fields which contain data such as "Credit Card" or "CCV" type data should not be cached. You can allow the application to cache usernames and remember passwords, however, in most cases this is not recommended.
  3. Re-scan the application after addressing the identified issues to ensure that all of the fixes have been applied properly.

Required Skills for Successful Exploitation

Dumping all data from a browser can be fairly easy and there exist a number of automated tools to undertake this. Where the attacker cannot dump the data, he/she could still browse the recently visited websites and activate the auto-complete feature to see previously entered values.

External References

- /areadirect/advertiser_login.htm

/areadirect/advertiser_login.htm CONFIRMED

http://www.bannerspace.com/areadirect/advertiser_login.htm

Identified Field Name

P

Request

GET /areadirect/advertiser_login.htm HTTP/1.1
Referer: http://www.bannerspace.com/asp/client_update.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Wed, 04 May 2011 20:10:40 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Sat, 28 Feb 2004 05:00:00 GMT
ETag: "088bdb7b7fdc31:2de4"
Content-Length: 12887


<html>
<head>
<title>BannerSpace.com, Internet Advertising Solutions.</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script>
var doCookie = 1;
</script>
<script type="text/javascript" language="javascript" src="/resources/sniffer.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/custom.js"></script>
<script type="text/javascript" language="javascript1.2" src="/resources/style.js"></script>
<link rel="stylesheet" href="/styles/main.css">
<style type="text/css" media="all">@import "/styles/main.css";</style>
<style>
<!--
input {background-color: #fede01; font-family: verdana; font-weight: bold; color: #800000; font-size: 8pt;}
input.but1 {background-color: #c0c0c0; font-family: arial; font-weight: normal; color: #000000; font-size: 10pt;}
input.but2 {background-color: #c0c0c0; font-family: arial; font-weight: bold; color: #800000; font-size: 10pt;}
input.cb {background-color: #808080;}
-->
</style>
<!-- Roll-over script -->
<script language=JavaScript>
agent = navigator.userAgent;
version = "no";
if (agent.substring(0,7) == "Mozilla")
{
if (parseInt(agent.substring(8,9)) >=3)
{
version = "ok";}
}
if (version == "ok")
{
/*var imagea = new Image();
imagea.src = '/images/line04.gif';
var imageb = new Image();
imageb.src = '/images/bs_top4a.gif';
var imagec = new Image();
imagec.src = '/images/bridge4b.gif'; */

b0 = new Image();
b0.src = "/images/home.gif";
b0on = new Image();
b0on.src = "/images/home_on.gif";
b1 = new Image();
b1.src = "/images/adv.gif";
b1on = new Image();
b1on.src = "/images/adv_on.gif";
b2 = new Image();
b2.src = "/images/pub.gif";
b2on = new Image();
b2on.src = "/images/pub_on.gif";
b3 = new Image();
b3.src = "/images/cre.gif";
b3on = new Image();
b3on.src = "/images/cre_on.gif";
b4 = new Image();
b4.src = "/images/adserv.gif";
b4on = new Image();
b4on.src = "/images/adserv_on.gif";
b5 = new Image();
b5.src = "/images/login.gif";
b5on = new Image();
b5on.src = "/images/login_on.gif";
b6 = new Image();
b6.src = "/images/contact.gif";
b6on = new Image();
b6on.src = "/images/contact_on.gif";
b7 = new Image();
b7.src = "/images/l_ea.gif";
b7on = new Image();
b7on.src = "/images/l_ea_on.gif";
b8 = new Image();
b8.src = "/images/l_res.gif";
b8on = new Image();
b8on.src = "/images/l_res_on.gif";
b9 = new Image();
b9.src = "/images/l_mc.gif";
b9on = new Image();
b9on.src = "/images/l_mc_on.gif";
b10 = new Image();
b10.src = "/images/l_lo.gif";
b10on = new Image();
b10on.src = "/images/l_lo_on.gif";
}
function change_image(imgDocID,imgObjName)
{
if (version == "ok")
{
//alert("imgDocID = "+imgDocID+", imgObjName = " + imgObjName);
document.images[imgDocID].src = eval(imgObjName + ".src");
}
}
</script>
<!-- End of rollover script-->

<!-- This positions the dropdown menu -->
<script language="javascript">
var imgObj;
function over(imgNum)
{
if(menuReadyState)
{
imgObj = document.images["b"+imgNum];
xPos = getRealLeft(imgObj);
yPos = getRealTop(imgObj);
activateMenu(imgNum,xPos+0,yPos+imgObj.height+0);
}
}
</script>
<!-- End of Drop Down Menu positioning -->
<!-- Login Script -->
<script language=javascript type="text/javascript">
<!--
function GetCookie() {
var cp;
cp = findCookie('bscp');
if (cp != null) {
document.excelReport.P.value = cp;
if (document.excelReport.P.value == "null") {
document.excelReport.remember.checked = false;
document.excelReport.P.value = "";
}
}
cp = findCookie('bscid');
if (cp != null) {
document.excelReport.CID.value = cp;
if (document.excelReport.CID.value == "null") {
document.excelReport.remember.checked = false;
document.excelReport.CID.value = "";
}
}
cp = findCookie('crem');
if (cp == 1) {document.excelReport.remember.checked = true;}
}
function findCookie(c) {
var cname = c + "=";
var dc = document.cookie;
if (dc.length > 0) {
begin = dc.indexOf(cname);
if (begin != -1) {
begin += cname.length;
end = dc.indexOf(";", begin);
if (end == -1) end = dc.length;
var retVal = unescape(dc.substring(begin, end));
return retVal;
}
}
return null;
}
function SetCookie() {
var p;
p = document.excelReport.P.value;
expires = new Date();
if (document.excelReport.remember.checked) {
expires.setDate(expires.getDate() + 1000);
document.cookie = "bscp" + "=" + p + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.cookie = "bscid" + "=" + document.excelReport.CID.value + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
document.cookie = "crem" + "=" + "1" + "; domain=" + ".bannerspace.com" + "; path=/; expires=" + expires.toGMTString();
} else {
document.cookie = "bscp" + "=" + p + "; domain=" + ".bannerspace.com" + "; path=/;"
document.cookie = "bscid" + "=" + document.excelReport.CID.value + "; domain=" + ".bannerspace.com" + "; path=/;"
document.cookie = "crem" + "=" + "0" + "; domain=" + ".bannerspace.com" + "; path=/;"
}
document.excelReport.submit();
}
// -->
</script>
<!-- End of Login Script-->
</HEAD>
<BODY topMargin=0 background="/images/line04.gif">
<BR>
<TABLE bgColor=#800000 border=0 cellPadding=0 cellSpacing=0
style="BORDER-BOTTOM: rgb(128,0,0) 3px solid; BORDER-LEFT: rgb(128,0,0) 3px solid; BORDER-RIGHT: rgb(128,0,0) 3px solid; BORDER-TOP: rgb(128,0,0) 3px solid"
width=700 align=left>
<TR>
<TD align=right bgColor=#ffffff colSpan=2><IMG
alt="Internet advertising solutions." height=70
src="/images/bs_top4a.gif" width=700></TD></TR>
<TR>
<TD align=center bgColor=#608080 vAlign=center colspan=2><a href="/home.htm" height="20" width="100" onmouseover="change_image('b0', 'b0on'); return true" onmouseout="change_image('b0', 'b0'); return true"><img src="/images/home.gif" name="b0" width=100 height=20 alt="" border=0></a><a href="/advertiser/advertiser_overview.htm" height="20" width="100" onmouseover="over(1); change_image('b1', 'b1on'); return true" onmouseout="deactivateMenus(false); change_image('b1', 'b1'); return true"><img src="/images/adv.gif" name="b1" width=100 height=20 alt="" border=0></a><a href="/publisher/publisher_overview.htm" height="20" width="100" onmouseover="over(2); change_image('b2', 'b2on'); return true" onmouseout="deactivateMenus(false); change_image('b2', 'b2'); return true"><img src="/images/pub.gif" name="b2" width=100 height=20 alt="" border=0></a><a href="/creative/creative_development.htm" height="20" width="100" onmouseover="over(3); change_image('b3', 'b3on'); return true" onmouseout="deactivateMenus(false); change_image('b3', 'b3'); return true"><img src="/images/cre.gif" name="b3" width=100 height=20 alt="" border=0></a><a href="/adserving/adserving_overview.htm" height="20" width="100" onmouseover="over(4); change_image('b4', 'b4on'); return true" onmouseout="deactivateMenus(false); change_image('b4', 'b4'); return true"><img src="/images/adserv.gif" name="b4" width=100 height=20 alt="" border=0></a><a href="/login/login_overview.htm" height="20" width="100" onmouseover="over(5); change_image('b5', 'b5on'); return true" onmouseout="deactivateMenus(false); change_image('b5', 'b5'); return true"><img src="/images/login.gif" name="b5" width=100 height=20 alt="" border=0></a><a href="/contact.htm" height="20" width="100" onmouseover="change_image('b6', 'b6on'); return true" onmouseout="change_image('b6', 'b6'); return true"><img src="/images/contact.gif" name="b6" width=100 height=20 alt="" border=0></a></TD>
</TR>
<TR>
<TD bgColor=#000000 style="BORDER: #000000 2px solid" width=214>
<TABLE border=0 cellPadding=0 cellSpacing=0 width=698 align=center>
<TR>
<TD bgColor=#d1d1d1 colSpan=2 width=698><IMG alt=advertise height=20
src="/images/sec_top_rep1.gif" width=700></TD></TR>
<TR>
<TD bgColor=#999999 vAlign=top width=138><!--<a href="/asp/client_update.asp" height="18" width="150" onmouseover="change_image('b7', 'b7on'); return true" onmouseout="change_image('b7', 'b7'); return true"><IMG name="b7" height=18 src="/images/l_ea.gif" width=150 BORDER=0></a><BR><a href="#" height="18" width="150" onmouseover="change_image('b9', 'b9on'); return true" onmouseout="change_image('b9', 'b9'); return true"><IMG name="b9" height=18 src="/images/l_mc.gif" width=150 BORDER=0></a><BR><a href="#" height="18" width="150" onmouseover="change_image('b10', 'b10on'); return true" onmouseout="change_image('b10', 'b10'); return true"><IMG name="b10" height=18 src="/images/l_lo.gif" width=150 BORDER=0></a><BR><a href="advertiser_reports.asp" height="18" width="150" onmouseover="change_image('b8', 'b8on'); return true" onmouseout="change_image('b8', 'b8'); return true"><IMG name="b8" height=18 src="/images/l_res.gif" width=150 BORDER=0></a> --><IMG height=18 src="/images/l_bot_blank.gif" width=150 BORDER=0><BR><BR><table cellpadding=0 cellspacing=0 border=0 align=center width=128 height=128>
<tr>
<td>
<!-- SMALL CONTENT OR 125x125 GRAPHIC HERE -->
</td>
</tr>
</table><br>
</td>
<td width="560" bgcolor="#D1D1D1" valign="top" align="left"><!-- LARGE CONTENT HERE --><form method="POST" name="excelReport" action="main.asp" align="left">
<table cellSpacing="0" cellPadding="0" width="540" height="300" class="cont1">
<tr>
<td valign="top"><img src="/images/top_re.gif" width="550" height="40"><br>
<table border="0" cellpadding="0" cellspacing="0" width="490" align="center">
<tr>
<td valign="top" align="left"><br>
<br>
</td>
</tr>
<tr>
<td valign="middle" align="left" height="178" bgcolor="#C0C0C0" style="border: 1 solid rgb(0,0,0); padding-left: 50"><font color="#80000" face="Arial"><strong>Advertiser Login</strong></font><table border="0" cellpadding="0" cellspacing="1" width="350" style="border-left: 2 solid rgb(128,0,0); border-right: 2 groove rgb(128,0,0); border-top: 2 double rgb(128,0,0); border-bottom: 2 outset rgb(128,0,0)"
bgcolor="#C0C0C0">
<tr>
<td bgcolor="#800000" style="padding-right: 2px" align="right"><font face="Arial" size="2"
color="#FFFFFF">Client ID:</font></td>
<td bgcolor="#808080"><input type="text" name="CID" size="20"> </td>
</tr>
<tr>
<td bgcolor="#800000" style="padding-right: 2px" align="right"><font face="Arial" size="2"
color="#FFFFFF">Password:</font></td>
<td bgcolor="#808080"><input type="Password" name="P" size="20"></td>
</tr>
<tr>
<td bgcolor="#800000" style="padding-right: 2px" align="right"></td>
<td bgcolor="#808080"><input type="button" value="Login" name="Login" class="but2" onClick="SetCookie();">
&nbsp;<input type=checkbox class=cb name=remember value="on"><font color=#FFFFFF><small><small>Remember Me</small></small></font>
</td></tr></table></td></tr></table></td></tr></table></form><!-- End of Large Content -->
</td>
</tr>
</table>
</td>
</tr>
<tr>
<TD align=middle bgColor=#800000 colSpan=2 height=30 style="PADDING-LEFT: 4px" vAlign=center width=702><font face=Arial color=#fede01 size=2><a href="/home.htm" class="do">&nbsp;Home&nbsp;</a>|<a href="http://www.bannerspace.com/advertiser/advertiser_overview.htm" class="do">&nbsp;Advertisers&nbsp;</a>|<a href="http://www.bannerspace.com/publisher/publisher_overview.htm" class="do">&nbsp;Publishers&nbsp;</a>|<a href="http://www.bannerspace.com/creative/creative_development.htm" class="do">&nbsp;Creative&nbsp;</a>|<a href="http://www.bannerspace.com/adserving/adserving_overview.htm" class="do">&nbsp;Ad Serving&nbsp;</a>|<a href="http://www.bannerspace.com/login/login_overview.htm" class="do">&nbsp;Login&nbsp;</a>|<a href="http://www.bannerspace.com/privacy.htm" class="do">&nbsp;Privacy&nbsp;</a>|<a href="http://www.bannerspace.com/contact.htm" class="do">&nbsp;Contact&nbsp;</a><br>
<small>Copyright &#169; 1998 - <script>crdate()</script><noscript>2006</noscript>, BannerSpace.com, Inc.</small>
</font></TD>
</tr>
</table>
<!-- dropdown menu call -->
<script type="text/javascript" language="javascript1.2" src="/resources/menu.js"></script>
<!-- /dropdown menu call -->
</BODY></HTML>
Database Error Message

Database Error Message
1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /asp/application.asp

/asp/application.asp

http://www.bannerspace.com/asp/application.asp

Request

GET /asp/application.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 20:10:16 GMT
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/html
Cache-control: private
Content-Length: 360


<font face="Arial" size=2><p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80004005'</font><p><font face="Arial" size=2>[Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified</font><p><font face="Arial" size=2>/asp/application.asp</font><font face="Arial" size=2>, line 10</font>
Forbidden Resource

Forbidden Resource
1 TOTAL
INFORMATION
CONFIRMED
1
Access to this resource has been denied by the web server. This is generally not a security issue, and is reported here for information purposes.

Impact

There is no impact resulting from this issue.
- /asp/

/asp/ CONFIRMED

http://www.bannerspace.com/asp/

Request

GET /asp/ HTTP/1.1
Referer: http://www.bannerspace.com/asp/application.asp
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 403 Access Forbidden
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 20:10:16 GMT
Connection: close
Content-Type: text/html
Content-Length: 172


<html><head><title>Directory Listing Denied</title></head><body><h1>Directory Listing Denied</h1>This Virtual Directory does not allow contents to be listed.</body></html>
E-mail Address Disclosure

E-mail Address Disclosure
1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /pr_030804.htm

/pr_030804.htm

http://www.bannerspace.com/pr_030804.htm

Found E-mails

pclough@bannerspace.com

Request

GET /pr_030804.htm HTTP/1.1
Referer: http://www.bannerspace.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Date: Wed, 04 May 2011 20:10:20 GMT
Content-Type: text/html
Accept-Ranges: bytes
Last-Modified: Mon, 05 Mar 2007 05:00:00 GMT
ETag: "0488c20e35ec71:2de4"
Content-Length: 21226


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0055)http://www.bannerspace.com/advertiser/geo_targeting.htm -->
<HTML><HEAD>
<meta http-equiv="Content-Language" content="en-us">
<TITLE>BannerSpace.com, Geo-targeting and geotargeted advertising.</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META
content="geotargeted advertising,geotargeting,geotargetting,geotargetted,geographic ad targeting"
name=keywords>
<META
content="BannerSpace.com introduces proprietary geotargeted advertising technology to enable geotargeting by city, state, county, zip code, and telephone area code."
name=description>
<SCRIPT language=javascript
src="/resources/sniffer.js"
type=text/javascript></SCRIPT>
<base href="http://www.bannerspace.com/">
<SCRIPT language=javascript1.2
src="/resources/custom.js"
type=text/javascript></SCRIPT>

<SCRIPT language=javascript1.2
src="/resources/style.js"
type=text/javascript></SCRIPT>
<LINK
href="/resources/main.css"
rel=stylesheet>
<STYLE type=text/css media=all>@import url( /styles/main.css );
</STYLE>
<!-- Roll-over script -->
<SCRIPT language=JavaScript>
agent = navigator.userAgent;
version = "no";
if (agent.substring(0,7) == "Mozilla")
{
if (parseInt(agent.substring(8,9)) >=3)
{
version = "ok";}
}
if (version == "ok")
{
/*var imagea = new Image();
imagea.src = '/images/line04.gif';
var imageb = new Image();
imageb.src = '/images/bs_top4a.gif';
var imagec = new Image();
imagec.src = '/images/bridge4b.gif'; */

b0 = new Image();
b0.src = "/images/home.gif";
b0on = new Image();
b0on.src = "/images/home_on.gif";
b1 = new Image();
b1.src = "/images/adv.gif";
b1on = new Image();
b1on.src = "/images/adv_on.gif";
b2 = new Image();
b2.src = "/images/pub.gif";
b2on = new Image();
b2on.src = "/images/pub_on.gif";
b3 = new Image();
b3.src = "/images/cre.gif";
b3on = new Image();
b3on.src = "/images/cre_on.gif";
b4 = new Image();
b4.src = "/images/adserv.gif";
b4on = new Image();
b4on.src = "/images/adserv_on.gif";
b5 = new Image();
b5.src = "/images/login.gif";
b5on = new Image();
b5on.src = "/images/login_on.gif";
b6 = new Image();
b6.src = "/images/contact.gif";
b6on = new Image();
b6on.src = "/images/contact_on.gif";
b7 = new Image();
b7.src = "/images/l_ov.gif";
b7on = new Image();
b7on.src = "/images/l_ov_on.gif";
b8 = new Image();
b8.src = "/images/l_an.gif";
b8on = new Image();
b8on.src = "/images/l_an_on.gif";
b9 = new Image();
b9.src = "/images/l_cc.gif";
b9on = new Image();
b9on.src = "/images/l_cc_on.gif";
b10 = new Image();
b10.src = "/images/l_ps.gif";
b10on = new Image();
b10on.src = "/images/l_ps_on.gif";
b11 = new Image();
b11.src = "/images/l_mb.gif";
b11on = new Image();
b11on.src = "/images/l_mb_on.gif";
b12 = new Image();
b12.src = "/images/l_ke.gif";
b12on = new Image();
b12on.src = "/images/l_ke_on.gif";
b13 = new Image();
b13.src = "/images/l_ge.gif";
b13on = new Image();
b13on.src = "/images/l_ge_on.gif";
b14 = new Image();
b14.src = "/images/l_cr.gif";
b14on = new Image();
b14on.src = "/images/l_cr_on.gif";
b15 = new Image();
b15.src = "/images/l_re.gif";
b15on = new Image();
b15on.src = "/images/l_re_on.gif";
}
function change_image(imgDocID,imgObjName)
{
if (version == "ok")
{
//alert("imgDocID = "+imgDocID+", imgObjName = " + imgObjName);
document.images[imgDocID].src = eval(imgObjName + ".src");
}
}
function sendE(a,name) {
document.write('<a href=mailto:' + a + '@' + 'bannerspace.com>' + name + '</a>');
}
</SCRIPT>
<!-- End of rollover script--><!-- This positions the dropdown menu -->
<SCRIPT language=javascript>
var imgObj;
function over(imgNum)
{
if(menuReadyState)
{
imgObj = document.images["b"+imgNum];
xPos = getRealLeft(imgObj);
yPos = getRealTop(imgObj);
activateMenu(imgNum,xPos+0,yPos+imgObj.height+0);
}
}
</SCRIPT>
<!-- End of Drop Down Menu positioning -->
<META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD>
<BODY
background="/images//line04.gif"
topMargin=0><BR>
<TABLE
style="BORDER-RIGHT: rgb(128,0,0) 3px solid; BORDER-TOP: rgb(128,0,0) 3px solid; BORDER-LEFT: rgb(128,0,0) 3px solid; BORDER-BOTTOM: rgb(128,0,0) 3px solid"
cellSpacing=0 cellPadding=0 width=700 align=left bgColor=#800000 border=0>
<TBODY>
<TR>
<TD align=right bgColor=#ffffff colSpan=2><IMG height=70
alt="Internet advertising solutions."
src="/images//bs_top4a.gif"
width=700></TD></TR>
<TR>
<TD vAlign=center align=middle bgColor=#608080 colSpan=2><A
onmouseover="change_image('b0', 'b0on'); return true"
onmouseout="change_image('b0', 'b0'); return true"
href="http://www.bannerspace.com/home.htm" width="100" height="20"><IMG
height=20 alt=""
src="/images//home.gif"
width=100 border=0 name=b0></A><A
onmouseover="over(1); change_image('b1', 'b1on'); return true"
onmouseout="deactivateMenus(false); change_image('b1', 'b1'); return true"
href="http://www.bannerspace.com/advertiser/advertiser_overview.htm"
width="100" height="20"><IMG height=20 alt=""
src="/images//adv.gif"
width=100 border=0 name=b1></A><A
onmouseover="over(2); change_image('b2', 'b2on'); return true"
onmouseout="deactivateMenus(false); change_image('b2', 'b2'); return true"
href="http://www.bannerspace.com/publisher/publisher_overview.htm"
width="100" height="20"><IMG height=20 alt=""
src="/images//pub.gif"
width=100 border=0 name=b2></A><A
onmouseover="over(3); change_image('b3', 'b3on'); return true"
onmouseout="deactivateMenus(false); change_image('b3', 'b3'); return true"
href="http://www.bannerspace.com/creative/creative_development.htm"
width="100" height="20"><IMG height=20 alt=""
src="/images//cre.gif"
width=100 border=0 name=b3></A><A
onmouseover="over(4); change_image('b4', 'b4on'); return true"
onmouseout="deactivateMenus(false); change_image('b4', 'b4'); return true"
href="http://www.bannerspace.com/adserving/adserving_overview.htm"
width="100" height="20"><IMG height=20 alt=""
src="/images//adserv.gif"
width=100 border=0 name=b4></A><A
onmouseover="over(5); change_image('b5', 'b5on'); return true"
onmouseout="deactivateMenus(false); change_image('b5', 'b5'); return true"
href="http://www.bannerspace.com/login/login_overview.htm" width="100"
height="20"><IMG height=20 alt=""
src="/images//login.gif"
width=100 border=0 name=b5></A><A
onmouseover="change_image('b6', 'b6on'); return true"
onmouseout="change_image('b6', 'b6'); return true"
href="http://www.bannerspace.com/contact.htm" width="100" height="20"><IMG
height=20 alt=""
src="/images//contact.gif"
width=100 border=0 name=b6></A></TD></TR>
<TR>
<TD
style="BORDER-RIGHT: #000000 2px solid; BORDER-TOP: #000000 2px solid; BORDER-LEFT: #000000 2px solid; BORDER-BOTTOM: #000000 2px solid"
width=214 bgColor=#000000>
<TABLE cellSpacing=0 cellPadding=0 width=698 align=center border=0>
<TBODY>
<TR>
<TD width=698 bgColor=#d1d1d1 colSpan=2><IMG height=20 alt=advertise
src="/images//Sec_top_adv6.gif"
width=700></TD></TR>
<TR>
<TD vAlign=top width=138 bgColor=#999999><A
onmouseover="change_image('b7', 'b7on'); return true"
onmouseout="change_image('b7', 'b7'); return true"
href="http://www.bannerspace.com/advertiser/advertiser_overview.htm"
width="150" height="18"><IMG height=18
src="/images//l_ov.gif"
width=150 border=0 name=b7></A><BR><A
onmouseover="change_image('b8', 'b8on'); return true"
onmouseout="change_image('b8', 'b8'); return true"
href="http://www.bannerspace.com/advertiser/ad_network.htm"
width="150" height="18"><IMG height=18
src="/images//l_an.gif"
width=150 border=0 name=b8></A><BR><A
onmouseover="change_image('b9', 'b9on'); return true"
onmouseout="change_image('b9', 'b9'); return true"
href="http://www.bannerspace.com/advertiser/content_channels.htm"
width="150" height="18"><IMG height=18
src="/images//l_cc.gif"
width=150 border=0 name=b9></A><BR><A
onmouseover="change_image('b10', 'b10on'); return true"
onmouseout="change_image('b10', 'b10'); return true"
href="http://www.bannerspace.com/advertiser/premium_sites.htm"
width="150" height="18"><IMG height=18
src="/images//l_ps.gif"
width=150 border=0 name=b10></A><BR><A
onmouseover="change_image('b11', 'b11on'); return true"
onmouseout="change_image('b11', 'b11'); return true"
href="http://www.bannerspace.com/advertiser/media_buying.htm"
width="150" height="18"><IMG height=18
src="/images//l_mb.gif"
width=150 border=0 name=b11></A><BR><A
onmouseover="change_image('b14', 'b14on'); return true"
onmouseout="change_image('b14', 'b14'); return true"
href="http://www.bannerspace.com/creative/creative_development.htm"
width="150" height="18"><IMG
src="/images//l_cr.gif"
width=150 border=0 name=b14></A><BR><A
onmouseover="change_image('b15', 'b15on'); return true"
onmouseout="change_image('b15', 'b15'); return true"
href="http://www.bannerspace.com/advertiser/reporting.htm"
width="150" height="18"><IMG
src="/images//l_re.gif"
width=150 border=0 name=b15></A><BR><A
onmouseover="change_image('b12', 'b12on'); return true"
onmouseout="change_image('b12', 'b12'); return true"
href="http://www.bannerspace.com/advertiser/keywords.htm"
width="150" height="18"><IMG height=18
src="/images//l_ke.gif"
width=150 border=0 name=b12></A><BR><A
onmouseover="change_image('b13', 'b13on'); return true"
onmouseout="change_image('b13', 'b13'); return true"
href="http://www.bannerspace.com/advertiser/geo_targeting.htm"
width="150" height="18"><IMG height=18
src="/images//l_ge.gif"
width=150 border=0 name=b13></A><BR><BR>
<TABLE height=128 cellSpacing=0 cellPadding=0 width=128 align=center
border=0>
<TBODY>
<TR>
<TD><IMG height=125
src="/images//announce.gif"
width=125 border=0> </TD></TR></TBODY></TABLE><BR></TD>
<TD vAlign=top align=left width=560 bgColor=#d1d1d1><!-- Big Content -->
<TABLE height=20 cellSpacing=0 cellPadding=0 width=540>
<TBODY>
<TR>
<TD>
<IMG height=40 alt="Geo-targeted Advertising."
src="/images/sec_top_nae.gif"
width=550><BR>
<TABLE class=cont1 height=32 cellSpacing=0 cellPadding=0
width=497 align=center border=0>
<TBODY>
<TR>
<TD height=32 width="497"><BR>&nbsp;<table cellpadding="0" cellspacing="0" style="border-style:solid; border-color:#800000; border-collapse: collapse" class="cont1" height="43" border="1" width="472">
<tr>
<td style="padding-left: 12; padding-right: 12; padding-top: 4; padding-bottom: 4; border-left-width:1; border-right-width:1; border-top-width:1; border-bottom-style:solid; border-bottom-width:1" bgcolor="#FFFFCC" height="22" width="446">
<font face="Arial" color="#0000FF" size="2">BannerSpace.com to launch
AreaPoint� Geographic Targeting for Online Advertisers.</font></td>
</tr>
<tr>
<td style="padding-left: 20; padding-right: 8; padding-top: 4; padding-bottom: 4" bgcolor="#F9F9F9" height="21" valign="top" width="442">
<font face="Verdana">Press Release</font><p class="MsoNormal">
BannerSpace.com, Inc., an Internet advertising solutions
provider and interactive media representation firm, will launch
two new geo-targeting products on April 5<sup>th</sup>, 2004.
AreaPoint� and AreaDirect� will make highly precise geographic
targeting of Internet advertising, long an elusive goal of
online advertisers, a reality. </p>
<p class="MsoNormal">Employing new, patent-pending methods, the
<a href="/advertiser/areapoint.htm">AreaPoint�</a> system will be much more accurate than any other form
of online geo-targeting and will enable marketers to reach
specific geographic areas online just as they do via offline
media such as radio, cable television, and yellow page listings.
With a single media buy, AreaPoint� will enable advertisers to
target online ad campaigns to any local region seamlessly across
multiple web sites. </p>
<p class="MsoNormal">An advertiser using AreaPoint� will be
able to select exactly which states, counties, cities, zip
codes, or telephone area codes in which to run an online
campaign. A local business may also define a central zip code,
and radius in miles around that zip code, to target.</p>
<p class="MsoNormal">�A much larger percentage of offline ad
spending is locally targeted, as compared to online
advertising.�, said BannerSpace.com chief executive, Jeff Howes,
�By aggregating and then re-segmenting ad inventory by
geographic location, AreaPoint makes it possible for advertisers
to restrict campaigns to specific regions, with accuracy and
flexibility not previously possible.�</p>
<p class="MsoNormal">AreaPoint� has the potential to
revolutionize the way certain advertisers reach their local
target market. For example, the technology may encourage the
spending of more political advertising dollars on interactive
media, as geographic targeting has, until now, been the most
difficult obstacle to overcome.</p>
<p class="MsoNormal">AreaPoint�..
IIS Version Disclosure

IIS Version Disclosure
1 TOTAL
INFORMATION
Netsparker identified that the target web server is disclosing the web server's version in the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified through the SERVER header information.

Remediation

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /asp/application.asp

/asp/application.asp

http://www.bannerspace.com/asp/application.asp

Extracted Version

Microsoft-IIS/4.0

Request

GET /asp/application.asp HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: www.bannerspace.com
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Server: Microsoft-IIS/4.0
Date: Wed, 04 May 2011 20:10:16 GMT
P3P: CP="NOI DSP CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Type: text/html
Cache-control: private
Content-Length: 360


<font face="Arial" size=2><p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80004005'</font><p><font face="Arial" size=2>[Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified</font><p><font face="Arial" size=2>/asp/application.asp</font><font face="Arial" size=2>, line 10</font>