SQL Injection, Open Redirection, Content Type Incorrectly Stated, a4.websitealive.com

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by XSS.CX at Wed Apr 20 17:26:18 CDT 2011.


XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog
Loading

1. SQL injection

2. Open redirection

3. HTML does not specify charset

3.1. http://a4.websitealive.com/669/Visitor/vTracker_v2.asp

3.2. http://a4.websitealive.com/669/rRouter.asp

4. Content type incorrectly stated



1. SQL injection  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://a4.websitealive.com
Path:   /669/Visitor/vTracker_v2.asp

Issue detail

The websiteid parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the websiteid parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

Request

GET /669/Visitor/vTracker_v2.asp?websiteid=0'&groupid=669 HTTP/1.1
Host: a4.websitealive.com
Proxy-Connection: keep-alive
Referer: http://sofmen.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQQRCBD=PHALGAEBJLIFDCLHKNANKCID

Response

HTTP/1.1 500 Internal Server Error
Date: Wed, 20 Apr 2011 22:11:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: no-store, must-revalidate, private
Pragma: no-cache
P3P: CP="NOI DSP COR CURa OUR NOR"
Content-Length: 474
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for ODBC Drivers</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>[MySQL][ODBC 3.51 Driver][mysqld-4.1.22-community-nt]You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1</font>
...[SNIP]...

2. Open redirection  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://a4.websitealive.com
Path:   /669/Visitor/vButton_v3.asp

Issue detail

The value of the icon_offline request parameter is used to perform an HTTP redirect. The payload http%3a//a440ed122e89695cc/a%3fhttps%3a//images.websitealive.com/images/hosted/upload/27061.png was submitted in the icon_offline parameter. This caused a redirection to the following URL:

Issue background

Open redirection vulnerabilities arise when an application incorporates user-controllable data into the target of a redirection in an unsafe way. An attacker can construct a URL within the application which causes a redirection to an arbitrary external domain. This behaviour can be leveraged to facilitate phishing attacks against users of the application. The ability to use an authentic application URL, targeting the correct domain with a valid SSL certificate (if SSL is used) lends credibility to the phishing attack because many users, even if they verify these features, will not notice the subsequent redirection to a different domain.

Issue remediation

If possible, applications should avoid incorporating user-controllable data into redirection targets. In many cases, this behaviour can be avoided in two ways:If it is considered unavoidable for the redirection function to receive user-controllable input and incorporate this into the redirection target, one of the following measures should be used to minimize the risk of redirection attacks:

Request

GET /669/Visitor/vButton_v3.asp?groupid=669&departmentid=0&w=400&h=400&icon_online=https%3A%2F%2Fimages%2Ewebsitealive%2Ecom%2Fimages%2Fhosted%2Fupload%2F27061%2Epng&icon_offline=http%3a//a440ed122e89695cc/a%3fhttps%3a//images.websitealive.com/images/hosted/upload/27061.png HTTP/1.1
Host: a4.websitealive.com
Proxy-Connection: keep-alive
Referer: http://sofmen.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 302 Object moved
Date: Wed, 20 Apr 2011 22:14:44 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: no-store, must-revalidate, private
Pragma: no-cache
P3P: CP="NOI DSP COR CURa OUR NOR"
Location: http://a440ed122e89695cc/a?https://images.websitealive.com/images/hosted/upload/27061.png?rnd=5%3A14%3A44+PM
Content-Length: 229
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="http://a440ed122e89695cc/a?https://images.websitealive.com/images/hosted/upload/27061.png?rnd=5%3A
...[SNIP]...

3. HTML does not specify charset  previous  next
There are 2 instances of this issue:

Issue description

If a web response states that it contains HTML content but does not specify a character set, then the browser may analyse the HTML and attempt to determine which character set it appears to be using. Even if the majority of the HTML actually employs a standard character set such as UTF-8, the presence of non-standard characters anywhere in the response may cause the browser to interpret the content using a different character set. This can have unexpected results, and can lead to cross-site scripting vulnerabilities in which non-standard encodings like UTF-7 can be used to bypass the application's defensive filters.

In most cases, the absence of a charset directive does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing HTML content, the application should include within the Content-type header a directive specifying a standard recognised character set, for example charset=ISO-8859-1.


3.1. http://a4.websitealive.com/669/Visitor/vTracker_v2.asp  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a4.websitealive.com
Path:   /669/Visitor/vTracker_v2.asp

Request

GET /669/Visitor/vTracker_v2.asp?websiteid=0&groupid=669 HTTP/1.1
Host: a4.websitealive.com
Proxy-Connection: keep-alive
Referer: http://sofmen.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQQRCBD=PHALGAEBJLIFDCLHKNANKCID

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 19:54:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: no-store, must-revalidate, private
Pragma: no-cache
P3P: CP="NOI DSP COR CURa OUR NOR"
Content-Length: 7775
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Cache-control: private


var embed_departmentid = '0';


// keep on page
function URLEncode(plaintext)
{
   // The Javascript escape and unescape functions do not correspond
   // with what browsers actually do...
   va
...[SNIP]...

3.2. http://a4.websitealive.com/669/rRouter.asp  previous

Summary

Severity:   Information
Confidence:   Certain
Host:   http://a4.websitealive.com
Path:   /669/rRouter.asp

Request

GET /669/rRouter.asp?groupid=669&websiteid=0&departmentid=0&dl=http%3A//sofmen.com/capabilities/business-applications HTTP/1.1
Host: a4.websitealive.com
Proxy-Connection: keep-alive
Referer: http://sofmen.com/capabilities/business-applications
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQQRCBD=PHALGAEBJLIFDCLHKNANKCID

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 19:59:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: no-store, must-revalidate, private
Pragma: no-cache
Content-Length: 617
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Cache-control: private


<!-- Functions Here -->

   <script language=javascript>
   
       var isInIFrame = (window.location != window.parent.location) ? true : false;
       
       if (!isInIFrame){
           parent.moveTo(100,100);
       
...[SNIP]...

4. Content type incorrectly stated  previous

Summary

Severity:   Information
Confidence:   Firm
Host:   http://a4.websitealive.com
Path:   /669/Visitor/vTracker_v2.asp

Issue detail

The response contains the following Content-type statement:The response states that it contains HTML. However, it actually appears to contain script.

Issue background

If a web response specifies an incorrect content type, then browsers may process the response in unexpected ways. If the specified content type is a renderable text-based format, then the browser will usually attempt to parse and render the response in that format. If the specified type is an image format, then the browser will usually detect the anomaly and will analyse the actual content and attempt to determine its MIME type. Either case can lead to unexpected results, and if the content contains any user-controllable data may lead to cross-site scripting or other client-side vulnerabilities.

In most cases, the presence of an incorrect content type statement does not constitute a security flaw, particularly if the response contains static content. You should review the contents of the response and the context in which it appears to determine whether any vulnerability exists.

Issue remediation

For every response containing a message body, the application should include a single Content-type header which correctly and unambiguously states the MIME type of the content in the response body.

Request

GET /669/Visitor/vTracker_v2.asp?websiteid=0&groupid=669 HTTP/1.1
Host: a4.websitealive.com
Proxy-Connection: keep-alive
Referer: http://sofmen.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.205 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDQQQQRCBD=PHALGAEBJLIFDCLHKNANKCID

Response

HTTP/1.1 200 OK
Date: Wed, 20 Apr 2011 19:54:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
cache-control: no-store, must-revalidate, private
Pragma: no-cache
P3P: CP="NOI DSP COR CURa OUR NOR"
Content-Length: 7775
Content-Type: text/html
Expires: Tue, 01 Jan 1980 06:00:00 GMT
Cache-control: private


var embed_departmentid = '0';


// keep on page
function URLEncode(plaintext)
{
   // The Javascript escape and unescape functions do not correspond
   // with what browsers actually do...
   va
...[SNIP]...

Report generated by XSS.CX at Wed Apr 20 17:26:18 CDT 2011.